sudo ipfw add deny src-ip 123.45.67.89, 127.0.0.1/8
That should do the trick.
Category: Unix Notes
Well, I hosed my printing system. At least it appeared that way.
I know – let’s go backwards in time and make like it didn’t happen.
Boot from the Leopard DVD. Tell it we want to restore from a Time Machine backup.
Wait about 90 minutes for the whole thing to restore. So far, so good.
I got the printing working as desired. All the systems can see the shared printers.
That should do it, right? Wrong!
1. I have a leftover swap file on the Time Machine disk – easy to get rid of – delete it.
2. I have a *very* large backup snapshot in the Time Machine – like 55GB – like it is a complete snap of the restored system. You would think that it would know that I restored from snapshot “A” and would simply make a hard link to that…hmmm
3. mail doesn’t work. My nightly cron job that backs up the databases sends mail. I didn’t get it.
Have to fix mail – wound up trying sudo /etc/postfix/post-install create-missing which got me most of the way there. I had to restart to get the mail daemons all “happy” again.
Oh, yes.
iTunes lost window positioning, had to be re-authorized for iTunes Store songs.
Mail.app decided that it had to import all of my mail! Only real problem there was that it had lots of messages marked unread that had actually been read. Not a big deal. It got the 66,000+ messages into the right places.
Categories
Leopard and crontabs
macosxhints.com – 10.5: Migrate crontabs from 10.4
n Mac OS X 10.4 (and earlier?), crontabs (the lists of tasks scheduled with cron) were stored in /var/cron/tabs. However, in 10.5, they are now stored in /usr/lib/cron/tabs, and the installer doesn’t seem to move any existing files from the old to the new location. So, the easy way to bring your old crontabs across is to run the following command in a Terminal:
sudo mv /var/cron/tabs/* /usr/lib/cron/tabs
Note that this command will replace any crontabs you’ve edited or set up since upgrading to Leopard with the version you had in Tiger; if you think there’s likely to be a clash, it would be a good idea to open the old files in a text editor and copy-and-paste the entries across to your new crontab (using crontab -e) instead.
Categories
Bourne shell idioms
perl -pe 'use MIME::Base64; $_=MIME::Base64::encode($_);'
perl -pe 'use MIME::Base64; $_=MIME::Base64::decode($_);'
That’s the piece I needed this morning. I found all sorts of entertaining things.
Some of them are vaguely in my memory. Most not, since I started before bash.
For Jan – edit command lines in the EDITOR
found in the mac os X system admin list
Just wanted to say thanks to Michael Wise for taking time out today
and providing me with a great set of forensic tools and techniques
for locating message queue IDs, and using postcat on the queue to
view actual messages/headers. Now I can start the real investigation.
Haven’t found the offending script yet, but am getting closer.
Notes from my conversation with Michael, for the archives:
* First, find suspicious looking lines in /var/log/mail.log
* Look for the smtp ID, such as: postfix/smtp[25897]
* Grep for other instances of that ID in the log: grep 25897
mail.log
* From there, youll be able to see postfix queue IDs, such as
159A347C89C
* You can use this queue ID to find deferred messages in the
postfix queue
* cd /var/spool/postfix/
* Find where in the queue directory hierarchy this message
lives: find . -name 159A347C89C
* The messages are stored in a format not easily readable. To
make them readable, use the postcat command, e.g. postcat deferred/E/
E9B8F4F0E7C
* Now you can see the real message, with all of its headers,
which should give you a lot more info about its origins. You can see
whether it came from outside, or if it comes from a process ID, there
should be some indication. If user is www, you know its coming from
a web script.
* To delete a message from the queue, use e.g.: postsuper -d
E9B8F4F0E7C Do not use the path with this command – just the queue ID.
Other tools:
Monitor incoming network connections, filtering out legit traffic on
port 80:
netstat -na | grep EST
netstat -na | grep EST | grep -v ‘.80 ‘
netstat -na | grep EST | grep ‘.25 ‘
To find files or dirs owned by www (that might be illegitimate):
find / -user www -ls
In case attacker named directories with spaces or other weird chars
in them:
find / -user www -ls | cat -vet –
(take your cat to the vet – its sick)
Thanks also to others who responded on this.
Best,
Scot
—
Scot Hacker, Webmaster
Graduate School of Journalism
UC Berkeley
Readline shortcuts
GNU Readline is the library used to make advanced command-line wizardry convenient and conistent across a multitude of command-line applications. These programs include bash, bc, ftp, gnuplot, gpg, ksh, mysql, psql, python, smbclient and xmllint.
The cheatsheet at the right contains a summary of many of the useful line editing command shortcuts which are available in all applications that use libreadline.
Categories
Clone a disk
sudo dd if=/dev/rdisk0 of=/dev/rdisk1 bs=131072
Categories
Learn 10 good UNIX usage habits
Learn 10 good UNIX usage habits
Adopt 10 good habits that improve your UNIX® command line efficiency — and break away from bad usage patterns in the process. This article takes you step-by-step through several good, but too often neglected, techniques for command-line operations. Learn about common errors and how to overcome them, so you can learn exactly why these UNIX habits are worth picking up.
I still don’t like what xargs does
Categories
sed vs. PERL
sed one-liners are here
sed FAQ is here
I wanted to change all occurrences of PRIVATE to NJPRIVATE in a bunch of files. It’s a simple command in sed, but what about replacing the file? output to temporary, then copy? yes, but.
the PERL solution is
perl -pi -e 's/PRIVATE/NJPRIVATE/' `grep -l PRIVATE *.php`
the magic is
-p loop and swallow the files, and print default.
-i edit the files in-place
-e do the command
solution found at Debian Administration
Categories
Netjuke vs. PHP 5
So, I got my PHP 5 to work, and talk to MySQL.
I wonder if Netjuke works? Nope. Not at all.
Everywhere I read I see that Netjuke is not supported and will never work on PHP 5. Use Jinzora they say. Uck – that wasn’t fun.
Simply put. Fix “play.php” to only output one header at a time. Search for the header() call. It’s pretty obvious.
Change the test in the config.inc.php for
`PRIVATE == true`
to be something like
`NJPRIVATE == true`
Fix every file that has a
`define(“PRIVATE”, true/false)`
to be a
`define(“NJPRIVATE”, true/false)`
private is a reserved word in PHP 5.
That’s all it took. All of about 30 minutes once I decided to ignore all of the advice on the web.
Classic maintenance programming attack.