Tag Archives: linux

Check a bulk of IP for reverse dns

Recently I’ve encounter list of IPs that are related to CoinHive. So I want to check for these IPs DNS. We can do that by using dig command to perform reverse DNS (rDNS).

Reverse DNS (rDNS) is a method of resolving an IP address into a domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.

I found this script at this site:

#!/bin/bash

for item
	do
		domain=$(dig -x "$item"  +short)
		if [ -n "$domain"  ] ;
			then
			echo "$item" - "$domain"
		else
			echo "$item" result is NULL
		fi
	done

Just save this code above in your Linux/*nix machine, and run this command as below:

[email protected]:~# cat ip.txt | xargs bash reverse_dns

The result should be like this:

Shell hiding in image files

One day, we noticed strange GET request towards our JBoss server:

From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

The request tried to execute command below:

“-O” : writes the documents to file.
“-” : if is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)

As you see, it tried to fetch image (jpeg file) from 91.230.47.41. Seems normal right?
We fetch the file & take a look at the jpg file:

ASCII?? Not JPEG?? hmm..
Here’s whats inside the “logo.jpg” file:

We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!

Here is the config file:
http://91.230.47.41/pics/kworker.conf

Not sure it is. Maybe bin file to run a process:
http://91.230.47.41/pics/kworker

Lets see if the file is packed:

Yup. So lets unpacked the file using UPX:

http://91.230.47.41/pics/kworker_na

Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. πŸ™‚

Here the MD5 for file above:

Configuring proxy for APT in Ubuntu

Recently, I have a problem where when I tried to update Ubuntu package via apt-get, it shows HTTP 401 proxy error related.
Just a note, I’m running the VM using my office network which has a proxy servers.

From this site;

APT configuration file method
This method uses the apt.conf file which is found in your /etc/apt/ directory. This method is useful if you only want apt-get (and not other applications) to use a http-proxy permanently.
On some installations there will be no apt-conf file set up. This procedure will either edit an existing apt-conf file or create a new apt-conf file.
gksudo gedit /etc/apt/apt.conf
Add this line to your /etc/apt/apt.conf file (substitute your details for yourproxyaddress and proxyport).
Acquire::http::Proxy “http://username:[email protected]:proxyport”;
Save the apt.conf file.

References :
http://askubuntu.com/questions/257290/configure-proxy-for-apt
http://askubuntu.com/questions/543616/why-does-add-apt-repository-now-fail-to-retrieve-keys-behind-my-proxy-server-bu

Upgrade Python packages at using pip

As you read in the title above; to update your python packages via pip:

for Linux/*nix:

p/s: you may need to run as sudo. Probably.

for Windows:

Credit: http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

Shell script fails: Syntax error: β€œ(” unexpected

The error when executing the bash code:

The script does not begin with a shebang line, so the kernel executes it with /bin/sh. On Ubuntu, /bin/sh is dash, a shell designed for fast startup and execution with only standard features. When dash reaches the line, it sees a syntax error: that parenthesis doesn’t mean anything to it in context.

Since dash (like all other shells) is an interpreter, it won’t complain until the execution reaches the problematic line. So even if the script successfully started at some point in your testing, it would have aborted once the problematic line was reached.

The shebang line must be the very first thing in the file. Since you use bash features, the first line of the file must be #!/bin/bash or #!/usr/bin/env bash.

Credit: http://unix.stackexchange.com/questions/45781/shell-script-fails-syntax-error-unexpected

Fix Locale problem on Ubuntu

Recently, I saw this kind or error quite frequent. At first I thought that it was nothing.
But eventually, it’s kinda bothering me when I see the error message. :p

So, here is the solution to solve this problem.
First, run this command:

It updates /etc/default/locale with provided values.

If you see the /etc/default/locale file, it shows something like this:

If the problem still occur, maybe you can try this first before running the command above again:

Credit to http://askubuntu.com/questions/162391/how-do-i-fix-my-locale-issue/505424#505424

SNMP Cannot Find Module on Ubuntu 14.04

If you encounter error something like this:

Then, where are in the same path. Path where we searching for the answers. XD
So, here is the solution to solve this error.

First, edit this sources.list file:

add this line to the end of file:

:w to save and :q to exit vi editor

Then, install this packages:

And then run this:

Voila! Done. Hope it helps. πŸ™‚

Ubuntu – Authentication token manipulation error

Authentication token manipulation error on Ubuntu

Authentication token manipulation error on Ubuntu

Recently, I forgot my “root” password for my Ubuntu (duh!). So I try attempting to change my “root” password by selecting recovery mode on the grub menu and dropped into a root shell prompt.

Everything works perfect until I try to change the password. The picture above is what I get when i try to change the password. πŸ™

So, to solve this, just run this on the prompt:

Anddddd… Walla! Try to reset the password again and it works! πŸ™‚

Hash sum mismatch error on Ubuntu

I think most of you will encounter with this kind of problem if you are using the previous version of Ubuntu.

The solution is to remove the content of /var/lib/apt/lists directory:

then run:

Credit to askubuntu.com