Active Versus Passive FTP on Windows 2003

For the first bit, please refer to Slacksite’s article for an excellent writeup on the difference between Active and Passive FTP.

Windows IIS’s FTP server is configured to use ports 1025-5000 for Passive FTP traffic by default. You can follow the steps at Microsoft’s support page to change the Passive FTP port range.

To enable Passive FTP, Windows Firewall must be configured to allow traffic from these ports. After verifying that the above port range is what you would like open to FTP traffic, each port number must be opened one by one. However, a simple script to automate this process is described here.

And here is a random link (ok, the link itself isn’t random, but the link behind the link is).

June 18th, 2009 | jim | Tags: , , , .
Categories: Internet, Windows | Comments: No Comments

Conficker Update Part 3

According to http://forum.drweb.com/index.php?showtopic=277240 , Win32.HLLW.Shadow.based is a a variant of Conficker/downadup.

Symptom: Every available port from 1024-5000 is used to connect to various servers on destination port 445. Basically, the worm opens these connections to download and wait for malicious binaries.

The removal tools at http://www.bdtools.net/ does not detect this variant, and you have to use Dr.Web’s Cureit to detect and remove it. According to them, the recommended procedure is to install the following hotfixes:
* MS08-067
(http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx);

* MS08-068
(http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx);

* MS09-001
(http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx).

And then run Cureit, a fully functional shareware app.

In case you’re reading this from an infected server, I’ve downloaded and included some of these files here (because if you’re infected, you won’t be able to access certain sites, drweb.com being one).

June 12th, 2009 | jim | Tags: , , , , , .
Categories: Internet, Security, Virii, Windows | Comments: No Comments

Google Wave

http://wave.google.com/

It’s still in its early stages, and it won’t become ubiquitous immediately, but with Google’s promised federation and Open Source licensing, it may revolutionize the way we communicate in the near future. Keep an eye on this one folks.

June 10th, 2009 | jim | Tags: .
Categories: Internet | Comments: No Comments

Dynamic iptables – “Flexible (and fun)”

Have you ever said to yourself that there should be a tool to do x, start building a tool to do it, then about halfway through your little project, somebody glances over your shoulder and says to you “hey, I use a tool like that, it’s called y, you should check it out,” so you do, and that tool is far more comprehensive and well built than the one you were working on?

Well this isn’t one of those times, because this tool hit me from left field while I was researching ways to mitigate a DDoS attack. Though there are many, many ways to do it, if all you have is a Linux box facing the world with nothing to hide its private parts except iptables, then this “flexible (and fun)” toolset is another weapon you can deploy when you get that 2:30AM call saying “our website’s down and I think it’s being DDoS’d.”

The tool is a simple set of scripts that make adding and removing specific IP’s quick and simple. The main site of the author is at http://www.ibm.com/developerworks/library/l-fw/, or is available (hosted locally) here.

Once installed, you can simply ban/unban an IP by typing ipdrop {IP ADDRESS} {on|off}

While perusing this thread at webhostingtalk.com, member dynamicnet mentioned grep-ing for ridiculous levels of SYN_RECV ‘d connections (this is indicative of a TCP SYN Flood attack) and generating ipdrop commands for quick banning of a SYN Flood-ing IP’s. Though you may accidentally drop one or two legitimate IP’s (have a rule already in place so you don’t ban yourself out of a remote box), you’ll likely get the bulk of the attacking IP’s.

Use netstat -n -p|grep SYN_REC | wc -l to count how many SYN_RECV connections you have.

Use netstat -n -p | grep SYN_REC | awk '{print $5}' | sort -u | awk -F: '{print "ipdrop "$1 " on"}' to generate code to ban IP’s in SYN_RECV status.

Use cat /root/.dynfw-ipdrop |awk -F: '{print "ipdrop "$1" off"}' to generates code to “undrop” those IP’s.

May 30th, 2009 | jim | Tags: , , , , .
Categories: DoS, Internet, Linux, Security | Comments: No Comments

Downgrading Plesk

Wipe. Reload. Restore.

That’s about it, AFAIK. Downgrading Plesk is a real doozie, so do your research before upgrading away compatibility. On that note, Tomcat 4 != compatible with anything past 8.0.0. I’m just saying. =P

Best bet: do your upgrades on a test box first, like your supposed to. Even better, do it on a virtual machine and take a snapshot beforehand. And as far as upgrading Plesk goes, not doing it one step at a time also tends to break it.

May 9th, 2009 | jim | Categories: Internet | Comments: No Comments

« Previous PageNext Page »