Friday 27 February 2009

eircom, IRMA, internet censorship in Ireland

These are the most interesting links on this topic at the moment IMHO.

http://blog.blacknight.com/irma-threatens-irish-isps.html
http://blog.blacknight.com/images/irmaletter.pdf
http://www.viewfromthequad.com/files/irmaletter.pdf
This is what a letter from IRMA looks like >;)
You're not thinking what I'm thinking I hope ....

Dear Sirs,
Waffle blah as previously agreed:
Please block traffic from the following list of domains:

Yours adjectively,
Representatives of IRMA.


http://www.theregister.co.uk/2009/02/25/irma_letter_to_isps_blacknight_solutions/

Someone from this group spams the facebook group "Let's ensure that we have an uncensored Internet for Ireland."

Dylan Patrick Mcmorrow sent a message to the members of Let's ensure that we have an uncensored Internet for Ireland.
--------------------
Subject: REPS FOR BLACKOUT IRELAND (AGAINST INTERNET CENSORSHIP IN IRELAND)
WE ARE LOOKING FOR REPS TO BE INVOLVED IN BLACKOUT IRELAND [ WE NEED SOMEONE FROM ALL THE BIG COLLEGES AS WELL]
SEND ME A MAIL ON mcmorrod@tcd.ie OR A MESSAGE ON FACEBOOK IF YOUR INTERESTED

http://blog.blackoutireland.com/

Interesting :) :-P

Last day for me in CommProve today

Last day for me in CommProve (http://www.commprove.com) today.
I made apple buns.
Mike brought lemon merangue.
Pub lunch.
I cycled to and from.

New laptop installed with ubuntu.
Windows bare installed but not network/wireless capable until a bunch more drivers are sourced from somewhere on the internet.
Meh.
Ubuntu 8.10 intrepid Ibex a joy to install.
Repartitioning, dual boot, sound, graphics + openGL, network/wireless ...
Firefox bookmarks + passwords sync with Foxmarks.

Note to self:
rsync -avz --partial --progress user@server:dir ./
gtar -zcvf dotfiles.tgz .[a-zA-Z]*
wget -r -l 1 -k --save-cookies cookies.txt --load-cookies -S --keep-session-cookies --proxy=on --no-check-certificate https://server/whatever
# and rm .ssh/known_hosts as appropriate ... :-7

Tuesday 24 February 2009

limericks craze - blockus script

The wonderful board game of blockus,
Caused a tremendous amount of fuss.
We wrote a wee script,
So some real work could be shipped,
Now the script plays blockus and not us! :(

Dave's being prolific!
http://www.davidologhlin.com/limericks/

Monday 9 February 2009

perl hexdump function (substr and x operator)

I can't quite believe I'm still writing hexdump functions.
I needed one again in perl and I had a basic one but fixed it up a bit more.

Interesting things: perl substr returns a warning/error if you request a substr outside range of the string. You should be able to persuade it to not produce warning. But I failed. perl v5.8.4 on solaris intel. From `perldoc -f substr`:
my $name = 'fred';
my $null = substr $name, 6, 2; # returns '' (no warning)

For padding make use of the `x` operator. `perldoc -q pad` `perldoc perlop`
http://perldoc.perl.org/perlfaq4.html#How-do-I-pad-a-string-with-blanks-or-pad-a-number-with-zeroes%3f
my $pad = " " x $padl;

Function hexdump is to be used in a file dumping different sections and in seperate calls hence possibility to pass in address. And generic pass in n - chars per line.


#!/usr/bin/perl -w

# n chars per line
sub hexdump {
my $text = shift;
my $addroffset = shift || 0; # optional
my $n = shift || 20;
my $pstr = "hack";
my $addr = 0;

# the extra awkward checks are to avoid warnings from substr
until ($pstr eq "" || $addr>length($text) || !defined($pstr)) {
$pstr = substr($text,$addr,$n);
if (defined($pstr) && $pstr) {
my $textaddr = sprintf "%08x", $addr + $addroffset;
my $padl = 2 * ($n - length($pstr));
my $texthex = join("", map { sprintf "%02x", $_ } unpack("C*",$pstr));
my $pad = " " x $padl;
$pstr =~ s/[\x00-\x1f]/./g;
$pstr =~ s/[\x7f-\xff]/./g;
print "$textaddr: $texthex $pad $pstr\n";
}
$addr += $n;
}
}

# one should check values of n (chars per line) 16, 20, others
# one should check hexdump(""); and 1 char, 2 chars up to n*2 + 1 chars at least
hexdump("1234567");
hexdump("MMMMMMMMMMMMOOOOOOOOOOOOOOORRRRRRR\nRRRRRRRRGGGGGGG\nGGGGGGEB1234567");
hexdump("MMMMMMMMMMMMOOOOOOOOOOOOOOORRRRRRR\nRRRRRRRRGGGGGGG\nGGGGGGEB1234567",2345);
hexdump("\x00\x02\x34MMMMMMMMMMMMOOOOOOOOOOOOOOORRRRRRR\nRRRRRRRRGGGGGGG\nGGGGGGEB1234567");
hexdump("\x78\x79\x7e\x7f\x80\x81\x82\xfe\xff\x00\x02\x34MMMMMMMMMMMMOOOOOOOOOOOOOOORRRRRRR\nRRRRRRRRGGGGGGG\nGGGGGGEB1234567");

my $file = shift;

if ( !open( FILE, "<$file" )) {
warn "$file: $!";
exit;
} else {
print "Data from $file\n";
}

# read - text mode returns short lines
#while ( ) {
# hexdump $_;
#}

while ( read(FILE,$_,20)) {
hexdump $_;
}


e.g. output:

$ ~/bin/hexdump.pl ~/bin/hexdump.pl
00000000: 31323334353637 1234567
00000000: 4d4d4d4d4d4d4d4d4d4d4d4d4f4f4f4f4f4f4f4f MMMMMMMMMMMMOOOOOOOO
00000014: 4f4f4f4f4f4f4f525252525252520a5252525252 OOOOOOORRRRRRR.RRRRR
00000028: 525252474747474747470a474747474747454231 RRRGGGGGGG.GGGGGGEB1
0000003c: 323334353637 234567
00000929: 4d4d4d4d4d4d4d4d4d4d4d4d4f4f4f4f4f4f4f4f MMMMMMMMMMMMOOOOOOOO
0000093d: 4f4f4f4f4f4f4f525252525252520a5252525252 OOOOOOORRRRRRR.RRRRR
00000951: 525252474747474747470a474747474747454231 RRRGGGGGGG.GGGGGGEB1
00000965: 323334353637 234567
00000000: 0002344d4d4d4d4d4d4d4d4d4d4d4d4f4f4f4f4f ..4MMMMMMMMMMMMOOOOO
00000014: 4f4f4f4f4f4f4f4f4f4f525252525252520a5252 OOOOOOOOOORRRRRRR.RR
00000028: 525252525252474747474747470a474747474747 RRRRRRGGGGGGG.GGGGGG
0000003c: 454231323334353637 EB1234567
00000000: 78797e7f808182feff0002344d4d4d4d4d4d4d4d xy~........4MMMMMMMM
00000014: 4d4d4d4d4f4f4f4f4f4f4f4f4f4f4f4f4f4f4f52 MMMMOOOOOOOOOOOOOOOR
00000028: 5252525252520a52525252525252524747474747 RRRRRR.RRRRRRRRGGGGG
0000003c: 47470a474747474747454231323334353637 GG.GGGGGGEB1234567
Data from /home/james_coleman/bin/hexdump.pl
00000000: 23212f7573722f62696e2f7065726c202d770a0a #!/usr/bin/perl -w..
00000000: 23206e206279206e0a7375622068657864756d70 # n by n.sub hexdump
00000000: 207b0a202020206d79202474657874203d207368 {. my $text = sh
00000000: 6966743b0a202020206d792024616464726f6666 ift;. my $addroff
00000000: 736574203d207368696674207c7c20303b202320 set = shift || 0; #
00000000: 6f7074696f6e616c0a202020206d7920246e203d optional. my $n =
00000000: 207368696674207c7c2032303b0a202020206d79 shift || 20;. my
00000000: 202470737472203d20226861636b223b0a202020 $pstr = "hack";.
...
00000000: 3c46494c453e29207b0a23202020206865786475 ) {.# hexdu
00000000: 6d7020245f3b0a237d0a0a7768696c6520282072 mp $_;.#}..while ( r
00000000: 6561642846494c452c245f2c32302929207b0a20 ead(FILE,$_,20)) {.
00000000: 20202068657864756d7020245f3b0a7d0a hexdump $_;.}.

Friday 6 February 2009

snow week

It snowed nicely Sunday night and melted a little and snowed more Monday.
Tuesday was meant to have even more snow but it was warmer, some sleet/rain and it melted.
Thur it snowed during day then froze in the night.
Kids went to school alright Mon/Tue/Wed/Thur.
Kids walked with friends on Monday to school and had some snow fun on the way.
In school though they weren't allowed out at playtime ... because there was snow!! :(
On Tue they were allowed out to play - Daire was on First Aid duty and they were really busy.
2 of them from 5th class on duty, one looking after injured, other filling out paperwork.
I had some snow play too Monday - Maeve and I built a snowman and in the evening Kate and I built a snowman after rescuing the car from around the corner and skidding it up into our driveway.
On Tue Maeve's creche called a snow day even though it wasn't too bad.
Gritting trucks do the main roads as soon as there is ice and snow but there was more snow than could be handled this week.
We could see + hear on radio about big traffic jams. The estate here had a gritting truck today. The roads in the estate
get packed snow and it's fun to watch the hill by our house. And more fun to drive the car or motorbike home!
Also Roshi and family were in Dublin airpoty Thur but all flights ended up being cancelled.

I worked from home Mon + Tue.
Went into work Wed + Thur by Motorbike.
Stayed home again today Friday.
Wed was grand on the roads - actually dry to drive on.
Thur morning it snowed just for 1 minute just as I got to work.
Bike visor covered fast and fogged up really quickly too. eep!
Then it snowed/melted during day and was staying on ground by afternoon.
So I headed off early and went by the coast.
Loads of cars from toll-bridge all the way to home. By coast there was some slush on roads despite the traffic.
And loads of puddles of black dirty water + slush. I guess ice blocking the drains and maybe burst pipes.
I went up Booterstown and it got quite tricky.
Not enough traffic to clear the snow.
N11 was okay - jammed with cars. I went into Stillorgan to give blood and that road was packed snow.
Back to N11 and it was just slush to home - well - there was a small sportsy mazda on right filter lane for Brewry road skidding/stuck. Then in this estate got up 1st steep bit okay but stopped on hill when a small kid went near the road.
Then couldn't move. Back wheel skidded sideways gradually.
Some people pushed then I went up with back wheel see-saw-slipping on one side or another - eeks!
Made it to our drive.
Lots of kid visitors at home.
I pushed motorbike tidier but still left it on road.
Then got car into driveway better by rocking it more or less forward + back.


Some updates/pics on facebook:
http://www.facebook.com/home.php?ref=home#/profile.php?id=1118555017&ref=name

Thursday 5 February 2009

where is this annoying downadup coming from?

Downadup coming in on samba.
Symantec Anti-Virus detects and removes it.
But where is it coming from?
How do I catch this worm and tell where it is repeatedly coming from?
Run wireshark. Grep for samba things when anti-virus warning appears.
filter: "Protocol is smb"

When you catch it contact people responsible for :)

It can be seen I think the worm nicely checks directory \System32 exists?
IF yes then does \System32\xxxxxx.dll exist?
If error then it can try and create it using "NT Create AndX"

attack-ip target-ip SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \System32
target-ip attack-ip SMB Trans2 Response, QUERY_PATH_INFO
attack-ip target-ip SMB Trans2 Request, FIND_FIRST2, Pattern: \System32\nmlnszk.dll
target-ip attack-ip SMB Trans2 Response, FIND_FIRST2, Error: STATUS_NO_SUCH_FILE
attack-ip target-ip SMB NT Create AndX Request, FID: 0x4004, Path: \System32\nmlnszk.u
target-ip attack-ip SMB NT Create AndX Response, FID: 0x4004


This filter would catch the single worm file creation entry.
The worm is trying various exploits so worm trace will be different on different systems.
filter: "Protocol is smb and smb.cmd == 0xa2" (0xa2 = NT Create AndX command)


No. size Time Source Destination Protocol Info
42655 191 2009-02-04 16:59:50.938003 SMB Negotiate Protocol Request
42656 240 2009-02-04 16:59:50.938419 SMB Negotiate Protocol Response
42664 202 2009-02-04 16:59:51.338727 SMB [TCP Retransmission] Session Setup AndX Request
42666 338 2009-02-04 16:59:51.394477 SMB Session Setup AndX Response
42667 134 2009-02-04 16:59:51.465066 SMB Tree Connect AndX Request, Path: \\\IPC$
42668 114 2009-02-04 16:59:51.465327 SMB Tree Connect AndX Response
42675 138 2009-02-04 16:59:51.552181 SMB Tree Connect AndX Request, Path: \\\ADMIN$
42676 120 2009-02-04 16:59:51.552603 SMB Tree Connect AndX Response
42678 152 2009-02-04 16:59:51.638915 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \System32
42679 158 2009-02-04 16:59:51.659161 SMB Trans2 Response, QUERY_PATH_INFO
42683 182 2009-02-04 16:59:51.793915 SMB Trans2 Request, FIND_FIRST2, Pattern: \System32\nmlnszk.dll
42684 126 2009-02-04 16:59:51.794635 SMB Trans2 Response, FIND_FIRST2, Error: STATUS_NO_SUCH_FILE
42685 182 2009-02-04 16:59:51.897687 SMB NT Create AndX Request, FID: 0x4004, Path: \System32\nmlnszk.u
42686 193 2009-02-04 16:59:51.898647 SMB NT Create AndX Response, FID: 0x4004
42687 130 2009-02-04 16:59:52.022915 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x4004, Query File Internal Info
42688 126 2009-02-04 16:59:52.023171 SMB Trans2 Response, FID: 0x4004, QUERY_FILE_INFO
42765 1452 2009-02-04 16:59:52.719398 SMB Write AndX Request, FID: 0x4004, 65536 bytes at offset 0
42767 105 2009-02-04 16:59:52.719683 SMB Write AndX Response, FID: 0x4004, 65536 bytes
42837 1452 2009-02-04 16:59:53.081002 SMB Write AndX Request, FID: 0x4004, 65536 bytes at offset 65536
42838 105 2009-02-04 16:59:53.081348 SMB Write AndX Response, FID: 0x4004, 65536 bytes
42878 1220 2009-02-04 16:59:53.278313 SMB Write AndX Request, FID: 0x4004, 36252 bytes at offset 131072
42880 105 2009-02-04 16:59:53.278510 SMB Write AndX Response, FID: 0x4004, 36252 bytes
42883 99 2009-02-04 16:59:53.378656 SMB Close Request, FID: 0x4004
42884 93 2009-02-04 16:59:53.474645 SMB Close Response, FID: 0x4004
42885 182 2009-02-04 16:59:53.574003 SMB NT Create AndX Request, Path: \System32\nmlnszk.u
42886 93 2009-02-04 16:59:53.574507 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
42887 156 2009-02-04 16:59:53.695878 SMB NT Create AndX Request, FID: 0x4005, Path: \atsvc
42888 193 2009-02-04 16:59:53.696443 SMB NT Create AndX Response, FID: 0x4005
42889 238 2009-02-04 16:59:53.839391 DCERPC Bind: call_id: 1, 2 context items, 1st ATSVC V1.0
42890 105 2009-02-04 16:59:53.839722 SMB Write AndX Response, FID: 0x4005, 116 bytes
42891 117 2009-02-04 16:59:53.922325 SMB Read AndX Request, FID: 0x4005, 1024 bytes at offset 0
42892 210 2009-02-04 16:59:53.922640 DCERPC Bind_ack: call_id: 1 Provider rejection, reason: Proposed transfer syntaxes not supported
42894 288 2009-02-04 16:59:54.038937 ATSVC JobAdd request
42902 146 2009-02-04 16:59:54.303584 ATSVC JobAdd response
42903 99 2009-02-04 16:59:54.387352 SMB Close Request, FID: 0x4005
42904 93 2009-02-04 16:59:54.387786 SMB Close Response, FID: 0x4005
43053 93 2009-02-04 17:00:21.493987 SMB Tree Disconnect Request
43058 93 2009-02-04 17:00:22.587186 SMB [TCP Retransmission] Tree Disconnect Request
43068 93 2009-02-04 17:00:24.666464 SMB [TCP Retransmission] Tree Disconnect Request
43084 93 2009-02-04 17:00:28.712442 SMB [TCP Retransmission] Tree Disconnect Request
43101 93 2009-02-04 17:00:32.759072 SMB [TCP Retransmission] Tree Disconnect Request
43116 93 2009-02-04 17:00:36.716295 SMB [TCP Retransmission] Tree Disconnect Request
43132 107 2009-02-04 17:00:38.571797 SMB Echo Request
43150 146 2009-02-04 17:00:44.806801 SMB [TCP Retransmission] Echo Request
43218 146 2009-02-04 17:01:00.892194 SMB [TCP Retransmission] Echo Request


e.g. Worm coming in using NetPathCanonicalize:
http://www.icmpecho.com/tag/downadup/
smb.service contains "NetPathCanonicalize"

NetPathCanonicalize again:
http://annysoft.wordpress.com/2009/02/01/downadupconfickerkido-infection-traffic-analysis/

http://www.f-secure.com/security_center/downadup.html
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
http://www.zdnet.co.uk/tsearch/downadup.htm