The Update Saga

Follows the story I told my studio friends. They are somewhat Mac savvy, and have been in the IT industry for a long time. I don’t have to explain a lot of the things that may not parse well…here it is

I updated the mac mini from 10.11 to 10.12 not too long ago – version 10.12.3. Did my typical clone of the system disk each night as a backup. One day Carbon Copy Cloner told me that it had problems reading the system disk. That’s when I went on the path of fixing the mini.

Local dealer SImutek gave me the wrong answers when it came to replacing the drive, adding drives, whatever. No firm quote, no firm estimate without actually having the machine. I’m down a server no matter what I do. They had a used (2014) mini 4GB/500GB HDD for $350 so I bought that to get service back to the house. Slow? wow…macOS is a huge dog on HDD these days. Once apps get up it runs fine. A simple reboot back to running server can take 9 minutes.

The “new” mini was cloned from a CCC backup (10.12.3) of the old one. All is well but slow. Now I can deal with the old Mac mini. OWC offers a turnkey update service. $79 which includes shipping both ways and installation of hardware. I like that price for service. I ordered a 480 GB SSD and a 2TB spinning drive to be placed in the mini. They did the task well, timely enough, and even replaced the OWC memory that was in it. Apparently it failed testing so they did the lifetime warranty replacement while it was there.

I am bold. I decide to make the mini a Fusion drive. That works fine. I restore from same clone as the new mini is running and proceed to make a new studio mac.

10.12.4 comes out. OK. Update my MacBook Pro, check. Update MacBook, check. Let’s update the new mini. Update runs, mini reboots, mini stops coming up at about 75% on the progress indicator. Done. Never completes. No amount of waiting works. Try all the standard things, no. Put new version on from Recovery partition (gets it from Apple). No.

Somewhere during all this the Fusion drive configuration is hosed. I re-partition things, re-install the CCC clone, try everything once again. No. Will not boot. Call OWC. They say they can’t help me. I need to call Apple. Apple will say no, there are no Apple disks in the machine. They can’t help. It is now 3 days of this.

I give up. I erase the drive. I install 10.12.4 from latest downloaded installer. It boots.

Oops – the erase and give up is too early in the story. That comes later…

I decide I will try updating the new mac mini with all Apple gear inside. Guess what? It won’t boot. I try all of the things that I did before, nothing works. I call Apple. They ask me for serial number (AppleCare) so they can determine if they should talk to me. I don’t have it written down. The machine won’t boot so I can’t look there. They talk me through all of the things I have already done (I’m not doing them again) and they get to the point that I should restore from a working backup (10.12.3) and let them check things with their tools. I say OK, I will call back after I get things done which could be 2 days.

I give up. I erase the drive. I install 10.12.4 from latest downloaded installer. It boots. I build my system to a basic level, get it all working. Something odd about the behavior. I clone this disk. I now have a working server for the house. Time to go back to the studio and try that mini. I do the erase and install. Works. Clone from disk from new mini. Works. After 1 week of crapping around everything seems just fine and working well.

My conclusion is that something got lost in the transition from 10.11.6 to 10.12.3 that using the combo updater for 10.12.4 (I tried) didn’t solve. There were some crusty old things on that system dating back to 2012. It got built from a 17″ iMac dating back to 2008, so we can imagine the dreadful evil hiding in the nooks and crannys.

I’m kind of tired of all the system management stuff 😉 during all of this we gave Chris’s mom Geri a MacBook Air (2010) to use as a writing tool. Geri is a 30 year PC user who likes to move things around 😉 so we had some transition issues. Marilyn, Chris’s best friend was here. She got her retirement present, a MacBook (2016) to use as a writing tool. See the common thread. Marilyn is a PC user from long ago (work), but adapted reasonably well to the new environment.

We shall not speak of mail providers who insist that outbound mail from machines should be sent out port 143 (IMAP) instead of SMTP like the creators intended.

Text* Snippets: MySQL launchd item for Mac OS X Tiger [mysql] [osx] [10.4] [tiger] [launchd]

Text* Snippets: MySQL launchd item for Mac OS X Tiger [mysql] [osx] [10.4] [tiger] [launchd]

I had to reinstall Mysql because it wasnt one of the things I backed up before erasing my hard drive. Since Im now running Mac OS X 10.4 Tiger, I decided to set it up to start when the system boots, but the system for creating startup items has changed slightly. So I saved the following xml in /Library/LaunchDaemons/com.mysql.Mysql.plist:

Lingon is your friend. It is a GUI for creating launchd plists. Only a little obtuse, but switching to “advanced” mode will show you what your plist looks like, so it’s easy to compare to any samples you may be looking at.

Tracking Outbound SPAM

found in the mac os X system admin list

Just wanted to say thanks to Michael Wise for taking time out today
and providing me with a great set of forensic tools and techniques
for locating message queue IDs, and using postcat on the queue to
view actual messages/headers. Now I can start the real investigation.
Haven’t found the offending script yet, but am getting closer.

Notes from my conversation with Michael, for the archives:

* First, find suspicious looking lines in /var/log/mail.log

* Look for the smtp ID, such as: postfix/smtp[25897]

* Grep for other instances of that ID in the log: grep 25897
mail.log

* From there, you’ll be able to see postfix queue IDs, such as
159A347C89C

* You can use this queue ID to find deferred messages in the
postfix queue

* cd /var/spool/postfix/

* Find where in the queue directory hierarchy this message
lives: find . -name 159A347C89C

* The messages are stored in a format not easily readable. To
make them readable, use the postcat command, e.g. postcat deferred/E/
E9B8F4F0E7C

* Now you can see the real message, with all of its headers,
which should give you a lot more info about its origins. You can see
whether it came from outside, or if it comes from a process ID, there
should be some indication. If user is www, you know it’s coming from
a web script.

* To delete a message from the queue, use e.g.: postsuper -d
E9B8F4F0E7C Do not use the path with this command – just the queue ID.

Other tools:

Monitor incoming network connections, filtering out legit traffic on
port 80:

netstat -na | grep EST
netstat -na | grep EST | grep -v ‘.80 ‘
netstat -na | grep EST | grep ‘.25 ‘

To find files or dirs owned by www (that might be illegitimate):

find / -user www -ls

In case attacker named directories with spaces or other weird chars
in them:

find / -user www -ls | cat -vet –

(take your cat to the vet – it’s sick)

Thanks also to others who responded on this.

Best,
Scot


Scot Hacker, Webmaster
Graduate School of Journalism
UC Berkeley
http://journalism.berkeley.edu

Optimizing an Xserve for Web Hosting

Optimizing an Xserve for Web Hosting

A single Xserve is ideally suited for smaller scale Web hosting, where the task is to host a handful of moderate-traffic sites. (With a fleet of Xserves, you could host an eBay or an Apple.com, but that’s a topic for another article.) The Xserve’s Apache Web server software has a multitude of configuration options. In this article, I will go over how to set up Apache to serve multiple Web sites from the same machine—so-called “virtual hosting.” I will also look at ways to optimize the server’s setup for fast, robust Web hosting. This article assumes that you have already followed the steps in the Mac OS X Server Administrator’s Guide to start Web service. (You can find the Guide on the Mac OS X Server Manuals page.)

Kill two Windows servers with one Xserve – Tom Yager

Enterprise Mac | InfoWorld | Kill two Windows servers with one Xserve | December 21, 2006 03:07 PM | By Tom Yager

At its core, Xserve is a two-socket Core microarchitecture Xeon (Woodcrest) rack server. As I wrote in my review, in hardware design, Xserve lives up to market standards. Some touches, like the SAS/SATA drive bays, a PCI-X slot for existing expansion cards and the SuperDrive dual-layer DVD burner, help tip the scale in Xserve’s favor. But the reason to buy Xserve is OS X Server: No other server app platform rivals it, and no other server system runs it. If you want OS X Server, you need a Mac, and Xserve is the only Mac that’s equipped with external drive bays and a baseboard management controller.

VirtualHost defaults from the GUI

/etc/httpd/sites_disabled/0000_default_default.conf

the location of the default settings for virtual hosts (VirtualHost) that are used by the ServerAdmin GUI interface.

Add or change things here to have newly added web sites get your favorite changes to the configuration.

httpd configuration default virtualhost

PHP enabling

often the PHP enabling (LoadModule AddModule) will be made correct during system update

we enable later

after system updates check and make sure that the PHP enabling is commented out in httpd.conf

we enable at the end – entropy

postfix and ports

add access to port 2525 by changing /etc/postfix/master.cf – look in the .cf file for examples
restart the mail service

can be useful in deciding if ISP is blocking port 25 access.

Mac OS X Server 10.3: Administrator sees share points, not volumes

Mac OS X Server 10.3: Administrator sees share points, not volumes

server:

In Server Admin, stop Apple File Service.
Open Terminal (/Applications/Utilities/).
Type:

sudo defaults write /Library/Preferences/com.apple.AppleFileServer admin31GetsSp false

Press Return.
Enter your administrator password when prompted, and press Return.
Quit Terminal.
Restart Apple File Service.

If you need to administer remotely, you may use the above command in an ssh session. Alternatively, you may also use this command:

sudo serveradmin settings afp:admin31GetsSp = no

AppleShare