It’s been a while.. again. It’s not gonna be trend from now (that for each new post, I’m shifting to new company again) hopefully 
Previously became a Sys admin, and learned lots in revisioning, code audit, peer programing and coding/scripting style. Yes, its a sys admin cum sys developer.
So for this post, it’s about determining the status of previous shutdown of the Linux/BSD server, whether it’s clean, force, etc. I’ve googled lots in finding the solution, but seems there are no concrete answer for this. ‘last’ command in linux/unix flavor is to show last logged in user in the system. In theory and practical, a physical server shouldn’t be rebooted a lot, unless it is a testing server. Power outage, force shutdown, etc wouldn’t be appear in any logs in the system. ‘last’ command tells specific time, and the important indicator, is the ‘reboot; and ‘shutdown’ signal. A proper shutdown, will always have ‘reboot’ and ‘shutdown’ altogether. Means, if the system shutdown properly, the number of ‘reboot’ and ‘shutdown’ should be equal. Well, this is actually just my theory.
To test this, below is the bash script to demonstrate the behavior:
#!/usr/bin/env bash
log_dir="/var/log"
logs_ver=( "wtmp" "wtmp.1" "wtmp.2" "wtmp.3" )
sh="shutdown"
re="reboot"
for i in ${logs_ver[@]}; do
wtmp_logs=$log_dir/$i
if [ -f "$wtmp_logs" ]; then
echo "Log for $wtmp_logs"
if uname -a | grep -i bsd > /dev/null 2>&1;
then echo "System is *Bsd variant"
absd=`last -f $wtmp_logs| grep -i -E "$re"|wc -l`
bbsd=`last -f $wtmp_logs| grep -i -E "$sh"|wc -l`
if [ $absd -gt $bbsd ]; then
echo "reboot $absd times > shutdown $bbsd times"
echo "sumething not right"
else
echo "reboot $absd times = shutdown $bbsd times OK"
fi
elif uname -a | grep -i linux > /dev/null 2>&1;
then echo "System is *Linux variant"
a=`last -a -x -f $wtmp_logs| grep -i -E "$re"|wc -l`
b=`last -a -x -f $wtmp_logs| grep -i -E "$sh"|wc -l`
if [ $a -gt $b ]; then
echo "reboot $a times > shutdown $b times"
echo "sumething not right"
else
echo "reboot $a times = shutdown $b times OK"
fi
else
echo "not found"
fi
else
echo "wtmp log not existed for $wtmp_logs"
fi
done
It’s been a while since last post. And for this post, I would just to conclude for the method or approach I’ve implemented before.
Implementing psexec and pushing all of the batch script to the whole hundreds of server is best to be done during off-peak hour. Well, in theory it did work, as well in practical wise. Picture below are the example of the implementation. Notice that both of Web Server (win2k3) and WinServer (Win2k8) batch script executed accordingly. Doing this to tens/hundreds of servers can actually saves our time.
Little changes from previous script is to add and copy auditpol.exe directly from share server (192.168.44.1) to the Windows 2003 servers. This is because there are no auditpol.exe in Win2k3 system :
:Win_XP_2003
Echo copying Auditpol.exe to system32…
REM change the IP address to share server’s IP
xcopy “\\192.168.44.1\auditpol\Auditpol.exe” C:\Windows\system32
Echo Enabling Auditing…
Another interesting Eventlog agent I’ve stumbled upon is called Snare. I’ve been using this to send a-kinda-like syslog message from Event logs like Security, Application and System logs and it includes a webpage for configuration (and it is straight forward,easy to use).
For complete how-to and source/script on this approach, you can get it here – auditpol
*Note: the script may triggered an IDS signature such as PsExec_Service_Accessed, etc when performed to multiple Destination IP. Use with caution.
Yes, I’m still blogging..
Shifted to new company with rather different job scope but still in the same filed. Currently doing some projects on SIEM, which is actually a very tedious one. To make things short, turning on local security policy (local policies -> audit policy) on Windows for one Windows server is easy. Just navigate to the audit policy and choose either ‘Success’ or ‘Failure’ for each audit.
Automated things:
To do this on a few hundreds of Windows server machine (within AD and not) can turn you crazy. I know there is method to push settings/configuration/bla2 using sccm, but as far as i know, it requires to join AD.
One method that may possible to execute the batch scripts to hundreds of the machines is to use PSExec from Sysinternals. Example to use one is like this:
psexec @Host-List.txt -u domain\administrator -p-d -i “\\server\share\batch.cmd”
We can add hostname/iP in the Host-List.txt file, provided with username and password and execute the batch script from the share server. Doing this method, at least for me, is much easier. Any other method/suggestion/comments are welcome! BTW, below is the simple batch script:
====================================================
@ECHO OFF
:: poorman Local Security Policy (Audit Policy) batch script
:: will enable success/failure for all audits except DS access
:: require auditpol.exe if not exist
:: win ver part shamelessly from Denis St-Pierre
:: tdr[dot]local[at]gmail.com
VER | FINDSTR /L "5.0." > NUL:
IF %ErrorLevel% EQU 0 (
ECHO System is running Win 2000
C:\Windows\System32\auditpol.exe /enable /system:all /logon:all /object:all /privilege:all /process:all /policy:all /sam:all
)
VER | FINDSTR /L "5.1." > NUL:
IF %ErrorLevel% EQU 0 (
ECHO System is running Win XP
GOTO Win_XP_2003
)
VER | FINDSTR /L "5.2." > NUL:
IF %ErrorLevel% EQU 0 (
ECHO System is running Win 2003
GOTO Win_XP_2003
)
VER | FINDSTR /L "6.0." > NUL:
IF %ErrorLevel% EQU 0 (
If EXIST %SystemRoot%\System32\ServerManagerLauncher.exe (
ECHO Running Windows 2008R1
GOTO Win_Vista_7_2008
) ELSE (
ECHO System is running Win Vista
GOTO Win_Vista_7_2008
)
)
VER | FINDSTR /L "6.1." > NUL:
IF %ErrorLevel% EQU 0 (
If EXIST %SystemRoot%\System32\ServerManagerLauncher.exe (
ECHO Running Windows 2008R2
GOTO Win_Vista_7_2008
) ELSE (
ECHO System is running Windows 7
GOTO Win_Vista_7_2008
)
)
:Win_XP_2003
Auditpol.exe /enable /system:all /logon:all /object:all /privilege:all /process:all /policy:all /sam:all
GOTO EXEC_CMD
:Win_Vista_7_2008
C:\Windows\System32\auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Object Access" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Detailed Tracking" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"DS Access" /success:disable /failure:disable
C:\Windows\System32\auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Policy Change" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Privilege Use" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"System" /success:enable /failure:enable
GOTO EXEC_CMD
:EXEC_CMD
ECHO Continue with Audit Policy..
PAUSE
START c:\windows\system32\secpol.msc
*Note: the script may triggered an IDS signature such as PsExec_Service_Accessed, etc when performed to multiple Destination IP. Use with caution.
This is actually an extended version originally from d3t0n4t0r@lobak’s blog based on Ruby :
Added search hash capability:
===================
#!/usr/bin/env ruby
#original from lab69.com
require 'net/https'
require 'uri'
require 'digest/md5'
require 'rubygems'
require 'json'
require 'rest-client'
require 'mechanize'
print "Insert choice 1=file,2=hash\n"
choice = gets.chomp
case choice
when "1"
puts "Insert file name"
file = gets.chomp
md5 = Digest::MD5.hexdigest(File.read(file))
uri = URI.parse("https://www.virustotal.com/api/get_file_report.json")
key = 'YOUR_API_KEY_HERE'
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Post.new(uri.request_uri)
request.set_form_data({'resource' => md5, 'key' => key})
response = http.request(request)
get_file_report = JSON.parse(response.body)
result = get_file_report['report']
puts "Date submitted: " + result[0]
result[1].each do |av,res|
if res.empty? == false
print "#{av.rjust(14)}: #{res}\n"
end
end
when "2"
agent = Mechanize.new
puts "Please insert hash"
hash = gets.chomp
#puts "Hash is " + hash + ". Continuing.."
res = agent.post( 'https://www.virustotal.com/api/get_file_report.json',
'key' => 'YOUR_API_KEY_HERE',
'resource' => hash )
get_file_report = JSON.parse(res.body)
result = get_file_report['report']
puts "Date submitted: " + result[0]
result[1].each do |av,res|
if res.empty? == false
print "#{av.rjust(14)}: #{res}\n"
end
end
else
puts "Usage: #{__FILE__} 1 | 2"
end=====================
A much more hardcore version is from m4ysix blog that added capabilities on saving it into MySQL database for reference and repository purposes.
Some of the output:
$ virustotal.rb
Insert choice 1=file,2=hash
1
Insert file name
SpyEye_suspected.exe
warning: peer certificate won’t be verified in this SSL session
Date submitted: 2011-01-06 17:55:01
Fortinet: W32/Spyeye.A!tr.dldr
TrendMicro: TROJ_GEN.R42E1JV
AntiVir: TR/Hijacker.Gen
Avast5: Win32:Spyware-gen
Antiy-AVL: Trojan/Win32.SpyEyes.gen
VirusBuster: TrojanSpy.SpyEyes!Z4tScdOCRJ0
VBA32: TrojanSpy.SpyEyes.cns
Command: W32/Heuristic-KPP!Eldorado
Sophos: Mal/Behav-010
TrendMicro-HouseCall: TROJ_GEN.R42E1JV
———–8<—————————-8<————————8<—————– snippet
Sometimes we don’t have the binary with us, we can easily search it:
$ virustotal.rb
Insert choice 1=file,2=hash
2
Please insert hash
44cdc9159db09f327370d45914459944
Date submitted: 2011-01-06 17:55:01
Fortinet: W32/Spyeye.A!tr.dldr
TrendMicro: TROJ_GEN.R42E1JV
AntiVir: TR/Hijacker.Gen
Avast5: Win32:Spyware-gen
Antiy-AVL: Trojan/Win32.SpyEyes.gen
VirusBuster: TrojanSpy.SpyEyes!Z4tScdOCRJ0
VBA32: TrojanSpy.SpyEyes.cns
Command: W32/Heuristic-KPP!Eldorado
Sophos: Mal/Behav-010
TrendMicro-HouseCall: TROJ_GEN.R42E1JV
————–8<——————-8<——————8< snippet
From http://www.libcpu.org/wiki/Main_Page :
“libcpu” is an open source library that emulates several CPU architectures, allowing itself to be used as the CPU core for different kinds of emulator projects. It uses its own frontends for the different CPU types, and uses LLVM for the backend. libcpu is supposed to be able to do user mode and system emulation, and dynamic as well as static recompilation.”
**********Ubuntu************
I’m Installing on top of Ubuntu 9.10 32bit
To install Libcpu on Ubuntu, CMake version 2.8 or higher is required. Unfortunately (as of January 3, 2010)
Ubuntu’s default CMake is still at 2.6.x, so I have to build it:
Download Cmake version 2.8 or higher. I’m using cmake-2.8.4.tar.gz
For other Operating systems we can download here http://www.cmake.org/cmake/resources/software.html
after that extract it:
# tar -zxvf cmake-2.8.4.tar.gz
# cd cmake-2.8.4
# ./configure
# make
# make install
We should have now a working cmake version 2.8.4
# cmake
cmake version 2.8.4
Usage
cmake [options] <path-to-source>
cmake [options] <path-to-existing-build>
——-8<————–8<———–
Install dependencies :
# sudo apt-get install flex bison libreadline-dev
I’ve issued apt-get install llvm, this will install the 2.5 ver. I gonna have to install the 2.6 ver.
To achieve this, download the 2.6 ver of llvm at http://archive.ubuntu.com/ubuntu/pool/main/l/llvm/llvm_2.6.orig.tar.gz
Proceed with unpacking and installation:
# tar -zxvf llvm_2.6.orig.tar.gz
# cd llvm-2.6/
# ./configure
# make
# make install
You will get it right if it shows the 2.6 ver
root@test:~/libcpu/trunk# llvmc –version
Low Level Virtual Machine (http://llvm.org/):
llvm version 2.6 (Ubuntu 2.6-0ubuntu1)
Optimized build with assertions.
Built Oct 26 2009(19:40:39).
Download and compile from the SVN svn://www.libcpu.org/libcpu
After downloaded, build libcpu by issuing:
# make
Running some test (inside libcpu directory) :
# test/scripts/cbmbasic.sh
**** COMMODORE 64 BASIC V2 ****
64K RAM SYSTEM 38911 BASIC BYTES FREE
READY.
For Mac OSX, we can download cmake 2.8.4 at http://www.cmake.org/files/v2.8/cmake-2.8.4-Darwin-universal.dmg
Next, proceed to download llvm 2.6 from http://www.break.net/orlando/llvm/llvm-2.6-macosx-release-universal-1.tar.bz2
Installation procedure should be straight forward from now.
p/s: detailed information on libcpu can be refer at http://www.libcpu.org/wiki/Getting_Started
This maybe too late (but I don’t care :p)
I’ve never watched Tron legacy before.. some say its good, some says its crap. Nevertheless, I’ve just got the copy of the movie (he he) and previewed it (not yet finish). The scene that attracted me is when the ENCOM OS/12 got leaked and published on the net.
Seeing a terminal/console on a movie is a very rare situation, last I watched it on Matrix Reloaded when Trinity used nmap http://nmap.org/movies.html . Now I’ve seen it on Tron Legacy. Captured from the blu-ray movie :
How cool is that? 
A hexdump output of a pcap file when issuing hexdump -C would look like this:
000009e0 00 5c 00 90 90 90 90 90 90 90 90 90 90 90 90 90 |.\..............|
000009f0 90 90 90 2b c9 83 e9 b8 d9 ee d9 74 24 f4 5b 81 |...+.......t$.[.|
00000a00 73 13 ba 1a cd 77 83 eb fc e2 f4 46 70 26 3a 52 |s....w.....Fp&:R|
00000a10 e3 32 88 45 7a 46 1b 9e 3e 46 32 86 91 b1 72 c2 |.2.EzF..>F2...r.|
00000a20 1b 22 fc f5 02 46 28 9a 1b 26 3e 31 2e 46 76 54 |."...F(..&>1.FvT|
00000a30 2b 0d ee 16 9e 0d 03 bd db 07 7a bb d8 26 83 81 |+.........z..&..|
00000a40 4e e9 5f cf ff 46 28 9e 1b 26 11 31 16 86 fc e5 |N._..F(..&.1....|
00000a50 06 cc 9c b9 36 46 fe d6 3e d1 16 79 2b 16 13 31 |....6F..>..y+..1|
00000a60 59 fd fc fa 16 46 07 a6 b7 46 37 b2 44 a5 f9 f4 |Y....F...F7.D...|
00000a70 14 21 27 45 cc ab 24 dc 72 fe 45 d2 6d be 45 e5 |.!'E..$.r.E.m.E.|
00000a80 4e 32 a7 d2 d1 20 8b 81 4a 32 a1 e5 93 28 11 3b |N2... ..J2...(.;|
00000a90 f7 c5 75 ef 70 cf 88 6a 72 14 7e 4f b7 9a 88 6c |..u.p..jr.~O...l|
00000aa0 49 9e 24 e9 59 9e 34 e9 e5 1d 1f 74 99 2e 7b dc |I.$.Y.4....t..{.|
00000ab0 72 8b 22 dc 49 44 96 2f 72 21 8e 10 7a 9a 88 6c |r.".ID./r!..z..l|
00000ac0 70 dd 26 ef e5 1d 11 d0 7e ab 1f d9 77 a7 27 e3 |p.&.....~...w.'.|
00000ad0 33 01 fe 5d 70 89 fe 58 2b 0d 84 10 8f 44 8a 44 |3..]p..X+....D.D|
00000ae0 58 e0 89 f8 36 40 0d 82 b1 66 dc d2 68 33 c4 ac |X...6@...f..h3..|
00000af0 e5 b8 5f 45 cc 96 20 e8 4b 9c 26 d0 1b 9c 26 ef |.._E.. .K.&...&.|
00000b00 4b 32 a7 d2 b7 14 72 74 49 32 a1 d0 e5 32 40 45 |K2....rtI2...2@E|
00000b10 ca a5 90 c3 dc b4 88 cf 1e 32 a1 45 6d 31 88 6a |.........2.Em1.j|
00000b20 72 3d fd be 45 9e 88 6c e5 1d 77 41 41 41 41 41 |r=..E..l..wAAAAA|
00000b30 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA|
Here we can see there are 4 main columns. To get the hex value in the column number 2 & 3 would be tedious. Here is simple bash script on cleaning it:
$ cat file | cut -d ” ” -f3-19| sed -e ‘s/ //g’
This will produce a neat result of the hex:
005c0090909090909090909090909090
9090902bc983e9b8d9eed97424f45b81
7313ba1acd7783ebfce2f44670263a52
e33288457a461b9e3e46328691b172c2
1b22fcf50246289a1b263e312e467654
2b0dee169e0d03bddb077abbd8268381
4ee95fcfff46289e1b2611311686fce5
06cc9cb93646fed63ed116792b161331
59fdfcfa164607a6b74637b244a5f9f4
14212745ccab24dc72fe45d26dbe45e5
4e32a7d2d1208b814a32a1e59328113b
f7c575ef70cf886a72147e4fb79a886c
499e24e9599e34e9e51d1f74992e7bdc
728b22dc4944962f72218e107a9a886c
70dd26efe51d11d07eab1fd977a727e3
3301fe5d7089fe582b0d84108f448a44
58e089f836400d82b166dcd26833c4ac
e5b85f45cc9620e84b9c26d01b9c26ef
4b32a7d2b71472744932a1d0e5324045
caa590c3dcb488cf1e32a1456d31886a
723dfdbe459e886ce51d774141414141
41414141414141414141414141414141
Yesterday I’ve had problem with my ESXi 4. The problem was I can’t login to ESXi4 via vSphere Client, even with SSH. Previously no problem at all. The error kinda same like below (forgot to screen captured mine):
Error message tells “cannot complete login due to an incorrect user name or password”
After asked around and some googling, I’ve found 2 possibilities : Either host system corrupted (nver encountered b4), or someone get my password and change it (owned!). There are many suggestions, but I choose to Repair the ESXi4 host. Apparently, I’m not aware of this function before. Insert the installation disk, and choose “Repair” as picture below:
Unfortunately, all settings (network, username,etc2) has been revoked, and I need to setup and configure it back. The vmfs directory that contains all of my vm images is safe, but I need to include the *.vmx file again into Inventory. Luckily the vm image settings is still the same.
There’s unlikely my password leaked (since this is in my LAN only), and many of others reported problem suggested the same problem with system file corrupted (hopefully-i dont have to worry who steal my pass :p) .
Any feedback/suggestions/additions/corrections are most welcomed. thanks -salawank