June 15, 2010 8:21 pm by Markus.

I had some problems setting PHP values for shared hosting on 1and1 and the suggested way from their FAQ using php.ini didn’t work for me. Here are the settings in .htaccess that worked for me:

AddType x-mapp-php5 .php

# PHP 4, Apache 1
<IfModule mod_php4.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
</IfModule>

# PHP 4, Apache 2
<IfModule sapi_apache2.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
</IfModule>

# PHP 5, Apache 1 and 2
<IfModule mod_php5.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
</IfModule>

This instructs the server to use PHP5 and the configuration below is turning off the magic quotes, register globals and session auto start features.

Posted in Fixing Stuff | Print | No Comments »

July 25, 2009 8:34 pm by Markus.

Quick note: One of the strangest things I’ve seen in a while was during my desktop’s boot-up today. There were random lines across the manufacturer’s BIOS logo, then all sorts of weird and random characters during BIOS messages and boot-manager. The monitor was fine, the power-on self test didn’t indicate anything fishy and even Linux would boot fine (but only in 640 x 480 resolution). If it had been the RAM or something, chances would be that the OS would have crashed or complained. Obviously it wasn’t a driver or OS issue as the computer hadn’t even booted up yet. It turns out it was the graphics card (an old 7xxx nVidia) and replacing it with a newer one did the trick. I’m a bit puzzled how the graphics card could have caused all those weird characters to show up, but I’m guessing the graphics RAM might have died or something like that.

Posted in Fixing Stuff | Print | No Comments »

April 16, 2009 2:27 am by Markus.

My girlfriend caught a new (?) version of some malware on her machine; what a nuisance and scanners don’t seem to recognize this thing… Some think it’s Vundo others just complain that it’s packed. It doesn’t quite fit the Vundo description,though. MD5 8e06f428178cbfbf12a8372fa6b16d0d size 50688 bytes. It registers some CLSID 721ee819 - b263 - 42e0 - a594 - b82fd0f24bdf , a browser-helper object and various things for notifications by the LSA service plus AppInit_Dll. It constantly restores these keys and it seems that even stomping out all the threads that this DLL-thing spawned everywhere won’t help. I overlooked something and it just comes back as soon as the next GUI app is started. As soon as I know how to get rid of it, I’ll update this post.

Update 1:

It hooks AppInit, the run key using rundll32 to start itself and the LSA notification (something Hijackthis doesn’t check). I can kill all the threads that this thing generates in each executable with ProcessExplorer and regmon will show that the constant checking of the appinit-key stops. However, as soon as the next GUI application is started it is back. So I deleted all the events and mutex objects that things created (I found some clues in the strings in memory) in each executable, again making sure that I didn’t miss anything, and it took a few seconds this time for it to come back. There’s “something” that will load the DLL with OpenProcess to load the DLL into the process space. Since the strings in the DLL show that it opens and writes to process memory this wouldn’t be surprising; question is how I find the threads that do this. Other odd things include that svchost starts a window-less iexplore.exe presumably to upload some stuff to a server or something. It might have some sloppy rootkit (RootkitRevealer went nuts with file-system discrepancies), because I can’t find the DLL (using “dir”) referenced in the keys, yet the tab-extension finds it and overwriting the non-existant file gets an access denied. Some interesting strings from the decrypted memory image of the DLL:

wscntfy.exe wscntfy_mtx mrt.exe explorer.exe iexplore.exe opera.exe firefox.exe Global\ mrt.exe explorer.exe iexplore.exe opera.exe firefox.exe dll .tmp exe rdl InprocServer32 \Internet Explorer\PhishingFilter Enabled Rundll32.exe ” ThreadingModel Both \Internet Explorer\ieuser.exe -Embedding tmp MS Juan cpm las SHELL32.dll ole32.dll OLEAUT32.dll vector<T> too long unknown ntoskrnl.exe ntkrnlmp.exe ntkrnlpa.exe ntkrpamp.exe Mozilla/4.0 (compatible; MSIE 6.0) WinNT 5.1 LoadLibraryW Kernel32 SeDebugPrivilege http://82.98.235.208/form/index.html exficale.com pancolp.com /frame.html url suid dnsapi.dll DnsQuery_A DnsRecordListFree Global\ wuauserv SYSTEM CURRENT_USER Advapi32.dll ConvertStringSidToSidA IsWow64Process kernel32 shell32.dll SHGetKnownFolderPath wininet.dll InternetOpenUrlA HttpOpenRequestA InternetCloseHandle InternetConnectA InternetOpenA InternetSetOptionA InternetQueryOptionA HttpQueryInfoA HttpSendRequestA InternetReadFile HttpAddRequestHeadersA HTTP/1.1 POST Content-Length ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ InprocServer32 setupapi.dll IsUserAdmin BITS b’kJ SHGetFolderPathW CoCreateInstance CoTaskMemFree CoInitialize CoUninitialize CoCreateGuid __dllonexit _onexit _XcptFilter _initterm _amsg_exit _adjust_fdiv WriteFile FlushFileBuffers LocalFree CreateFileW GetFileSize VirtualAlloc ReadFile VirtualFree GetModuleFileNameW lstrcpyW CreateMutexW GetLastError WaitForMultipleObjects GetExitCodeThread lstrlenW OpenMutexW WaitForSingleObject GetProcAddress GetModuleHandleA OpenProcess VirtualAllocEx WriteProcessMemory CreateRemoteThread VirtualFreeEx CreateToolhelp32Snapshot Process32FirstW lstrcmpiW Process32NextW GetCurrentProcess OpenEventW SetEvent Sleep ResetEvent lstrcatW MoveFileW MoveFileExW SetFilePointer SetEndOfFile ReleaseMutex GetModuleFileNameA DisableThreadLibraryCalls ExitProcess LoadLibraryW InitializeCriticalSection DeleteCriticalSection EnterCriticalSection LeaveCriticalSection GetSystemTimeAsFileTime FreeLibrary LoadLibraryA GetLogicalDriveStringsW GetDriveTypeW DeleteFileW GetTickCount GetCurrentThreadId CreateDirectoryW GetSystemTime SystemTimeToFileTime SetFileTime GetWindowsDirectoryA GetVolumeInformationA CreateProcessW OpenMutexA OpenEventA GetCurrentThread GetCurrentProcessId TerminateProcess TerminateThread CreateEventW WideCharToMultiByte HeapAlloc GetProcessHeap HeapFree SetFileAttributesW InterlockedIncrement InterlockedDecrement GetVersion lstrcmpiA lstrcpynW InterlockedExchange InterlockedCompareExchange RtlUnwind QueryPerformanceCounter UnhandledExceptionFilter SetUnhandledExceptionFilter KERNEL32.dll CallNextHookEx SetWindowsHookExA PostMessageA UnhookWindowsHookEx GetSystemMetrics USER32.dll OpenProcessToken LookupPrivilegeValueA AdjustTokenPrivileges RegCreateKeyExW RegDeleteValueW RegFlushKey RegCloseKey RegDeleteKeyW RegQueryValueExW RegSetValueExW RegOpenKeyExW SetSecurityInfo RegEnumValueW GetTokenInformation IsValidSid ConvertSidToStringSidW OpenSCManagerA OpenServiceA ControlService ChangeServiceConfigA AllocateAndInitializeSid CheckTokenMembership FreeSid InitializeSecurityDescriptor SetSecurityDescriptorDacl ConvertStringSidToSidA SetEntriesInAclA DuplicateTokenEx SetTokenInformation GetLengthSid SetThreadToken RegQueryInfoKeyA RegEnumKeyExA RegOpenKeyExA RegQueryValueExA CloseServiceHandle QueryServiceConfigA QueryServiceStatusEx StartServiceA ADVAPI32.dll LocalAlloc RaiseException _except_handler3 222.dll DllCanUnloadNow DllGetClassObject Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects CLSID SYSTEM\CurrentControlSet\Control\Lsa Notification Packages Software\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs LoadAppInit_DLLs Software\Microsoft\Internet Explorer\Main Check_Associations Software\Microsoft\Windows\CurrentVersion\Ext\Settings Software\Microsoft SYSTEM\CurrentControlSet\Control\Session Manager PendingFileRenameOperations PendingFileRenameOperations2 Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks Software\Microsoft\Security Center UpdatesDisableNotify Software\Microsoft\Security Center\Svc EnableNotifications EnableNotifications\Ref Software\Microsoft\Windows NT\CurrentVersion DigitalProductId RegisteredOrganization RegisteredOwner C:\WINDOWS\system32\renobuda C:\WINDOWS\system32\calc.exe C:\WINDOWS\system32\defariha.dll C:\WINDOWS\system32\defariha.dll C:\WINDOWS\system32\dadeyisi.dll C:\WINDOWS\system32\vofehafi.dll {721ee819-b263-42e0-a594-b82fd0f24bdf} Global\vimegolatiturew Global\nifuseguji C:\WINDOWS\system32\mrt.exe own1 hdn_dsk .uroledup.com .uroledup.com .?AVCDownloader@@ .?AVCUrlStorage@@ .?AUIObjectWithSite@@ .?AVCConBHO@@ .?AUIUnknown@@ .?AUIClassFactory@@ .?AVCFactory@@

Update 2: Ok, I got rid of it. Turns out there’s no root-kit; the DLL was simply marked as hidden (I feel stupid…). Killing all the threads off, preventing it from re-loading and then re-installing the Service-Pack seems to have gotten rid of it for good.

Posted in Fixing Stuff, Security, Ramblings | Print | No Comments »

March 25, 2008 2:25 am by Markus.

I’m hosting a little phpBB installation and had some problems with the conversion script that comes with phpBB for the conversion of the forum. It seems that the timeout-values for PHP by 1and1 are set too conservatively. I found that adding the following lines to the “install/install_convert.php” file does the trick (credit for this trick) :

@set_time_limit(0);
@ini_set(’memory_limit’, ‘256M’);
@ini_set(’upload_max_filesize’, ‘128M’);
@ini_set(’post_max_size’, ‘256M’);
@ini_set(’max_input_time’, ‘-1′);
@ini_set(’max_execution_time’, ‘-1′);
@ini_set(’expect.timeout’, ‘-1′);
@ini_set(’default_socket_timeout’, ‘-1′);

Having the conversion script reload also seems to help a bit…

Posted in Fixing Stuff | Print | No Comments »

February 12, 2008 1:24 am by Markus.

I was playing around with the VMWare player and an Windows XP image trying to establish a VPN connection with Microsoft’s VPN Client. It worked just fine, connected and then got stuck at “Verifying Username and Password”. After a while it aborted with a time-out error (was it error 638 or 721?). It turns out that GRE (General Routing Encapsulation) doesn’t deal well with multiple network address translations (e.g. using VMWare Networks with NAT and then my DSL-Router). It worked once I changed it to bridged network. This took me a couple of hours to figure out…

Posted in Fixing Stuff, Ramblings | Print | No Comments »

October 9, 2007 7:30 pm by Markus.

After installing the various gpg-agent packages (gpgsm, gpgagent etc.) and still no luck a simple “sudo apt-get install pinentry-qt” did the trick (installs the password-entry dialog). Note that you have to start the gpg-agent manually (eval `gpg-agent –daemon`) before starting KMail.

Posted in Fixing Stuff | Print | No Comments »

January 29, 2007 1:53 pm by Markus.

A friend of mine recently fried one of his linksys router, a WRT54G (hardware version 2.0), after trying to upgrade the firmware. The box is old, no more warranty and all that. Since I played a bit with eWRT linux on the Linksys a while ago, he thought I might have use for a broken router (maybe as a paper-weight). Turns out the power light was blinking forever, but the routers firmware didn’t come up. I recall having seen some documents on the web on fixing a broken Linksys WRT54G firmware (search for “unbrick wrt54g”; that took me a while to find). Here’s what worked for me using linux. First, download the matching firmware for your router from the linksys website. Then I pressed the reset-button, plugged in the power (holding the reset-button down) and kept holding the reset-button down for about 5-6 seconds, and then started the process below (i.e. I typed all that beforehand, just hitting enter for the put command). The router will be on IP 192.168.1.1 and will accept firmware updates with TFTP. It seems that even is the case without boot_wait being set to on.

ifconfig eth0 down
ifconfig eth0 up 192.168.1.100
# clear your local firewall rules if you have to!

tftp 192.168.1.1
tftp> mode binary
tftp> rexmt 1
tftp> trace
tftp> timeout 300
tftp> put code.bin

You might have to try several times to get the timing right. You can also check with tcpdump if you get arp-replys/pings back from the router.

Posted in Fixing Stuff, ewrt linux | Print | No Comments »

November 22, 2006 1:34 pm by Markus.

I just helped Michelle get her Cisco VPN Client to work after she got an “Error 51” asking her to ensure that she at least one network adapter enabled (which was the case). The client software wouldn’t even startup to let us configure anything. After a couple of calls to tech-support, finding out that the error isn’t explained in the manual and a re-installations we found the following to work: disable the Firewall and Virus-software (McAfee in that case; make sure your machine is still behind another firewall, e.g. your routers’ firewall), go to the Control Panel > Administrative Tools > Services. Then stop and restart the “Cisco Systems, Inc. VPN Service”. The startup setting should be set to automatic BTW.

I still don’t quite understand why this works (Shouldn’t the client communicate with the service using named pipes? Shouldn’t the firewall be irrelevant for the startup of the client?), but hey…

Please leave a comment if that worked for you; or whatever workaround you found. Thanks.

Posted in Fixing Stuff, Security | Print | 2 Comments »