Dream Cheeky email notifier and Linux

As much as email and webpage alerts are useful, sometimes you just need a good old fashioned physical heads up saying something is broken. Enter the Dream Cheeky usb email notifier.

 

It's designed to hook up to a pc and light up any color you want when you get emails in. I stumbled across this and thought this is perfect for using it in Linux for monitoring. But like most things, no official linux support. After some digging though, I found some instructions on how to get it to work with Linux (https://github.com/daniel-git/usblamp).So I got mine from amazon yesterday and it works like a charm.

Some quick commands to get it up and running:

sudo apt-get install g++
sudo apt-get install libusb-dev
wget https://github.com/daniel-git/usblamp/tarball/master --no-check-certificate
tar xzf master
cd daniel-git-usblamp*/src
make
sudo make install

And that's it. You control it via the command "usblamp". Works great in bash scripts. Some examples include:

usblamp green
usblamp '#8258FA'
usblamp off

The switching time keeps up with as fast as the system can change the color (did a while loop to test). I'm sure this could be physically hacked to so it's not a little envelope sitting on a server. You could probably take it a part and do other stuff with it. But for under $20, it's hard to beat.

Dual y axis in gnuplot

Yeah there are resources out there n this but I had to do some playing around to get what I wanted out of this so I figured I'd post it here. I needed to graph free ram, free swap, and 5 minutes avg load in one graph. Given that the ram and swap were in MB and the cpu avg was going to be in a 0-100 scale, it called for the use of two axis'. So here's the script for it.

#! /bin/bash
# mark hamsel 1/24/14
# Script for plotting free ram, free swap, and 5 min cpu load

## Gnuplot config
#set term png
#set output '/var/www/freemem.png'
#set terminal png size 1500,400
#set ylabel "Megabytes" #left hand y axis label
#set y2label "CPU 5 min Avg" #righthand y axis label
#set xlabel "  " #using an obvious time so no xlabel
#set xtics rotate by 270
#set key outside
#set grid
#unset colorbox
#set yrange [0:4200] #Only had 4 gigs on the machine and I'm measuring in MB
#set y2range [0:100] #Utilization is a percent so 0-100
#set y2tics autofreq  norangelimit #This makes it so you can see the 0-100 tics
#set terminal png truecolor # Needed this to use transparent filledcurves
#set style fill transparent solid 0.50 noborder #Set the default plot style
## 1 is memory and 2 is swap
#plot '/home/mark/scripts/freemem.dat' using 3:xticlabel(1) w filledcurves x1 lc rgb '#630595' title 'Swap' axes x1y1, \
#'/home/mark/scripts/freemem.dat' using 2:xticlabel(1) w filledcurves x1 lc rgb '#00995E' title 'Ram' axes x1y1, \
#'/home/mark/scripts/freemem.dat' using 4:xticlabel(1) w lines lw 3 lc rgb '#DC6022' title 'CPU' axes x2y2


### This part gathers the data ###
date=$(date +%H:%M)
#This gets the free memory and swap values
values=$(free -mo|grep -v total|awk '{print $4}')
#This gets the 5 min load avg
fivenimloadavg=$(cat /proc/loadavg |awk '{print $2}')
#This gets the free mem/swap, load avg, and time in to a file for source data
echo $values $fivenimloadavg|sed "s/^/$date /" >> /home/mark/scripts/freemem.dat
#File cleanup so I only have the most recent 60 samples
for file in `echo /home/mark/scripts/freemem.dat`
do
DATALINES=$(wc -l $file|awk '{print $1}')
while [[ $DATALINES -gt 60 ]]
do
sed -i '1 d' $file
DATALINES=$(wc -l $file|awk '{print $1}')
done
done
#Plot it
gnuplot /home/mark/scripts/gnuplotfreemem.cfg

Some malware at a Microsoft owned IP

Had a link in a spam message of hxxp://compra-da-sorte-cielo.com. That redirected to hxxp://137.135.200.64/Cadastro.




This page was wanting you to sign up and hand over some info. But if you went straight to the 137.135.200.64 IP, you get prompted save an exe directly. The scan can be found HERE. Interestingly, that IP belongs to Microsoft as well (http://whois.arin.net/rest/net/NET-137-135-0-0-1/pft).

Running the malware shows it reaches out to hxxp://playshows.com.br/12/googletalk.zip and downloads it. But it turns out it's password protected. Need to do more digging.

Your dreams can come true in bash

It's no secret. I like bash. I'm the only one of my circle that seems to like it. I ain't gonna be no python convert. Despite this, coworkers try to always convince me how "bash is unwieldy past 10 lines".

A situation came up where some specific servers needed monitoring. A lot of servers. A lot of processing. The design needed to process about 25 gigs of data an hour from the servers. All collected from remote Windows servers. After collection, the files are processed, webpages are auto generated/updated, things are logged, built in error handling, and of course graphs galore. Developers wanted tickets made, meetings scheduled, and months to work on it. Nah, gimme a week.

Working flawless for months. But seriously, it's probably stupid to use bash like this. I may be able to make something work real quick but that doesn't make it the proper way. Always have dev do it if you can. Then it's their fault when it breaks.

GIF with gnuplot

I needed to make a rotating graph in gnuplot. The plot itself was a 3d plot with one axis being time, one being a server name, and one being a mail count. The graph was fine and all but due to using the heat surface look, it was hard to see some things in the back of the graph. So I wanted to make a gif that simply rotated it.

I did some research and this ended up seeming nigh impossible to do within gnuplot alone. I was able to plot the graph how I wanted by controlling the viewpoint. So I figured if there is a way I can make a ton of output png files, I could use those to create a gif. Turns out this method works quite well. And the best part is that it can all be automated with a script needing no human interaction. The only downside is if you want a small gif at the end, you need to resize/resample it. The final gif I use is a rofling 30 megs. It's 360 frames at a full 1400 by 700 a frame. But on an internal network, this is perfectly fine. You can adjust resolution of the individual graphs in the gnuplot config file.



#! /bin/bash
# mark hamsel 1.23.14
# Script for creating a gif from the gnuplot pics.
# You need this for fonts: sudo apt-get -y install libgd2-xpm-dev build-essential
#This was for starting out without any residual files
rm /var/www/Servers/test/*.png /var/www/Servers/test/*animation*gif

# All the counters and such initiated
count=0
rotation=0
gifnum=0
gifchunk=0
fullcount=0


while [ $fullcount -lt 360 ] # Main loop; 360 degrees for a perfect spin gif
do


# 'convert' is used to make the gif and it uses globbing
# more than 10 pics at a time will mean they get out of order
while [ $count -lt 10 ]
do

# see the gnuplot config file below

# These sed statemnts are adjusting the output picture number and angle per rep through the 10 count 'while' statement
sed s/XNUMX/$count/ /var/www/Servers/test/3dgnuplot.cfg > /var/www/Servers/test/3dgnuplot.cfg.tmp
sed -i s/XVIEWX/$rotation/ /var/www/Servers/test/3dgnuplot.cfg.tmp

# mmake 1 graph
gnuplot /var/www/Servers/test/3dgnuplot.cfg.tmp


# increment the while10 count, full count (up to 360) and rotation degree (last two interchangable really)
count=$(echo $(($count + 1)))
rotation=$(echo $(($rotation + 1)))
fullcount=$(echo $(($fullcount + 1)))
done

# so after making 10 pictures, use convert to make a gif, keeping it at 10 means globbing works fine
# gifnum is just referencing the while10 gif number so I can glob those later
convert -delay 20 -loop 0 /var/www/Servers/test/*.png /var/www/Servers/test/$gifnum.animation.gif
# after making the gif, remove the png's
rm /var/www/Servers/test/*.png
# reset the while10 counter
count=0
# increment the gif counter
gifnum=$(echo $(($gifnum + 1)))


#####################################
# When you get 10 gifs that the while10 loop made, it globs them together for a larger gif
if [[ $gifnum -eq 9 ]]
then

convert -delay 20 -loop 0 /var/www/Servers/test/*animation.gif /var/www/Servers/test/animation.$gifchunk.gif
gifchunk=$(echo $(($gifchunk + 1)))
gifnum=0
rm /var/www/Servers/test/*.animation.gif
fi
#####################################

done
# After all is said and done and you get the 360 degrees (360 pics made),
# remove all gifs except your larger gif chunks you made
# then use convert to combine all your gifs together in to a mega gif
rm /var/www/Servers/test/*.animation.gif
convert -delay 10 -loop 0 /var/www/Servers/test/animation.* /var/www/Servers/test/myfinalform.gif
# myfinalform.gif is the finished product


## gnuplot config used; you can adjust these to adjust the final gnuplot form
#set term png
#set output '/var/www/Servers/test/XNUMXdgraph.png'
#set terminal png size 1400,700
#set title "Messages processed each hour"
#unset border
#unset surface
#set pm3d at bs
#set hidden3d
#set ylabel "Server"
#set xlabel "Time"
#set dgrid3d 100,100,2
#set samples 50
#set isosamples 50
#set view ,XVIEWX
#splot '/var/www/Servers/3dgnuplot.dat' using 2:1:4:xtic(2):ytic(3) title "Message Counts"








So it may seem like a lot but most of that code is purely to get globbing to work. Without it, you get a schizophrenic gif due to the normal ordering of files (1,12,2,22,3,37,etc). So here's a simple breakdown of what's going on.

• Make 10 graphs at incrementing angles
• Take those 10 graphs and make a gif
• Rinse and repeat above
• If you get 10 gifs, combine to larger gif
• Once 360 pics are made in to 10-at-a-time gifs, combine all of those gifs in to the final product

Here's a trimmed down sample of it.

See, easy right?

Looking at Asprox again

I started up the asprox bot again to poke around at it. Ever since they've changed the encryption, things have been much more challenging and time consuming. Nothing interesting so far but I did notice it has a very specific 13 minute wait before hitting up the c2 server for checkins.

Quick and dirty iptables graphing

I had a situation come up where I needed to monitor some iptables rules and make graphs for them. This was ina  test system so I essentially had a lot of freedom to do whatever, just get it working.

I was going to set up something like cacti or nagios, but honestly that would have been such a headache for such a simple thing I needed. I simply needed to make some graphs based on simple numbers from an iptables output.

So here's what I did. It's quick and dirty. So very dirty. I cringe looking at some things I did now. But I did get the results I needed for the test system and it only took about 10 minutes. Most of this was written in one sitting without testing. I think I had to make about 5 changes from the original version while writing.  Not bad for only using some basics. Of course depending on the rules you use, the regex would be different to find the rules you are tracking.



#! /bin/bash
# This script makes graphs for iptables entries

# Get current time as variable
date=$(date +%H:%M)

# Get iptables data to graph
iptables -L -n -v > /home/mark/scripts/iptables.last


################ FORWARD ################
# Needed to monitor iptables rules I had made for 192.168.2 and .3 (scales easily though)
grep 'ACCEPT.*all.*0\.0\.0\.0.*192\.168\.1\.[23]' /home/mark/scripts/iptables.last|awk '{print $2, $9}'|sed -e 's/K/000/' -e 's/M/000000/' -e 's/G/000000000/' -e 's/[0-9][0-9][0-9]$//' |sed "s/^/$date /" >> /home/mark/scripts/iptablesforward.dat


#Clean up data file so it only has most recent 60 records (120 since there are two ip's)
DATALINES=$(wc -l /home/mark/scripts/iptablesforward.dat|awk '{print $1}')
while [[ $DATALINES -gt 120 ]]
do
sed -i '1 d' /home/mark/scripts/iptablesforward.dat
DATALINES=$(wc -l /home/mark/scripts/iptablesforward.dat|awk '{print $1}')
done


# Make separate files for graphing, easy way (120 above = 60 lines of each)
grep 192.168.1.2 /home/mark/scripts/iptablesforward.dat > /home/mark/scripts/iptablesforward.dat.2
grep 192.168.1.3 /home/mark/scripts/iptablesforward.dat > /home/mark/scripts/iptablesforward.dat.3

# Gnuplot config file
#set term png
#set output '/var/www/iptablesforwardstats.png'
#set terminal png size 1500,400
#set ylabel "Data forwarded in KB"
#set xlabel "  "
#set xtics rotate by 270
#set grid
#set key outside
#plot '/home/mark/scripts/iptablesforward.dat.2' using 2:xticlabel(1) with lines lw 3 title '192.168.1.2', \
#'/home/mark/scripts/iptablesforward.dat.3' using 2:xticlabel(1) with lines lw 3 title '192.168.1.3'

gnuplot /home/mark/scripts/iptablesFWDgnuplot.cfg

################ FORWARD ################




################ Interface Stats ################

# Input
grep 'ACCEPT.*all.*0.0.0.0/0.*0.0.0.0/0' /home/mark/scripts/iptables.last|sed -n '1p'|awk '{print $2}'|sed -e 's/K/000/' -e 's/M/000000/' -e 's/G/000000000/' -e 's/[0-9][0-9][0-9]$//' |sed "s/^/$date /" >> /home/mark/scripts/iptablesINTinput.dat
# Forward
grep 'ACCEPT.*all.*0.0.0.0/0.*0.0.0.0/0' /home/mark/scripts/iptables.last|sed -n '2p'|awk '{print $2}'|sed -e 's/K/000/' -e 's/M/000000/' -e 's/G/000000000/' -e 's/[0-9][0-9][0-9]$//' |sed "s/^/$date /" >> /home/mark/scripts/iptablesINTforward.dat
# Output
grep 'ACCEPT.*all.*0.0.0.0/0.*0.0.0.0/0' /home/mark/scripts/iptables.last|sed -n '3p'|awk '{print $2}'|sed -e 's/K/000/' -e 's/M/000000/' -e 's/G/000000000/' -e 's/[0-9][0-9][0-9]$//' |sed "s/^/$date /" >> /home/mark/scripts/iptablesINToutput.dat



#Clean up data file so it only has most recent 60 records
for file in `echo /home/mark/scripts/iptablesINTinput.dat /home/mark/scripts/iptablesINTforward.dat /home/mark/scripts/iptablesINToutput.dat`
do
DATALINES=$(wc -l $file|awk '{print $1}')
while [[ $DATALINES -gt 60 ]]
do
sed -i '1 d' $file
DATALINES=$(wc -l $file|awk '{print $1}')
done
done

#set term png
#set output '/var/www/iptablesinterfacestats.png'
#set terminal png size 1500,400
#set ylabel "Data in KB"
#set xlabel "  "
#set xtics rotate by 270
#set key outside
#set grid
#plot '/home/mark/scripts/iptablesINTinput.dat' using 2:xticlabel(1) with lines lw 3 lc rgb 'green' title 'INPUT', \
#'/home/mark/scripts/iptablesINTforward.dat' using 2:xticlabel(1) with lines lw 3 lc rgb 'red' title 'FORWARD', \
#'/home/mark/scripts/iptablesINToutput.dat' using 2:xticlabel(1) with lines lw 3 lc rgb 'blue' title 'OUTPUT'

gnuplot /home/mark/scripts/iptablesINTgnuplot.cfg

################ Interface Stats ################

# Reset IPtables so I don't have to do any weird math next run (only graphing new rule hits; not cumulative)
iptables -Z
# I consider this a cheater move but it saved some lines and we didn't need iptables tracking to stay cumulative

The small but unknown botnet

I've been monitoring a botnet for a few weeks now but haven't been able to figure out what it's name is or really any info on it. It's sort of an interesting bot that is used for sending spam. It seems it only sends out links to websites that either have more malware to download or are Canadian pharmacy websites. The stuff it sends is obvious spam and the volume is pretty low.

Some of the domains I've seen:
annett.in.ua
antonella.in.ua
antje.in.ua
yany.kr.ua

 The server at 95.163.107.201 seems to be a monitor making sure the system is still up and working. The information exchanged is just a varying string of encryption and decimal numbers. The server at 217.12.199.48 has the meat and potatoes. It sends out lists of email addresses and spam templates to the minions.

Truecrypt, Extra Harddrive, and Virtual Box

In my day to day stuff, I use vm's extensively. My laptop is an i5 with 16 gigs of ram and 2 ssd's. I use 1 ssd for the system drive and another one houses all of my vm's.

I've been meaning to do full drive encryption for a while using Truecrypt but just didn't have the time. So this weekend I finally got around to doing it. Encrypting the system drive went as expected. It took about 30 minutes to encrypt and everything went well. When I got around to encrypting my other drive, it all went as planned. Or so I thought.

After encryption and verifying I could reboot and everything automounted with Truecrypt, I went to fire up a vm. Uh oh, the vm files can't be found. I didn't notice that when the Truecrypt encryption happens for a non-system drive, it cannot reuse the same drive letter. 

This meant that I needed to recreate all of my vm's, or essentially copy the vm data to an external drive and wipe the internal drive for the vm's. Short story, non of my options were very good ones.

But then an idea. I figured that if I can't reuse the same drive letter for mounting the encrypted drive, I need to use another drive letter to begin with. 

• VM drive letter was D
• Renamed VM drive letter from D to E
• Went to Truecrypt and removed my automount setting
• Added a new automount setting to mount the "new" E drive as D drive
• So now all of my snapshots and settings in Virtual Box that pointed to the D drive all work as normal. No need for starting up new vm's.

So since there doesn't seem to be a good way of removing encryption altogether from an external drive, this was the next best thing as a workaround. So now I have a fully encrypted system drive and extra drive whilst maintaining all of my original path settings.

Some iptables magic

Here's a quick run down of something I had to do a while ago. So the situation was that I needed to redirect traffic to a different server only for a certain port and allow other traffic to flow as normal. The redirected traffic had to appear to come from the original source as well. This isn't too complicated but here were the details.

Basic Layout (server with iptables in the middle)

Here was the very basic iptables configuration.

• eth0 is the internet side
• eth1 is to the masquerade server at the top (10.0.0.1)
• eth2 is to the switch (internal net)
• Below is for port 80 redirection but should work for others
• 192.168.1.2 is the client computer

$#Set up IPtables
$iptables --flush
$iptables --table nat --flush
$iptables --delete-chain
$iptables --table nat --delete-chain
$iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
$echo 1 > /proc/sys/net/ipv4/ip_forward
$iptables -A FORWARD -j ACCEPT -d 192.168.1.2
$iptables -A FORWARD -p tcp --dport 80 -j DROP
$iptables -A FORWARD --in-interface eth2 -j ACCEPT
$iptables -A INPUT -j ACCEPT
$iptables -A OUTPUT -j ACCEPT
$#Redirecting port 80 stuff
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1:80
$iptables -t nat -A POSTROUTING -j MASQUERADE

The line "iptables -A FORWARD -p tcp --dport 80 -j DROP" can be a little misleading. This should ideally never get a hit. The prerouting should be sending the packet off before the forward table gets applied. It was added as more of a just-in-case. This config should allow all other traffic to the internet as normal but any port 80 traffic will get redirected to the specified server. The ip address for the client will continue to show the original destination IP on any returned packets as well. How does it do that? 

• The client does a DNS lookup for the hostname entered (or use a direct IP)
• Forms the packet and sends it off to the iptables server
• The iptables server sees teh destination is one that it is configured to send elsewhere
• The iptables remember the original ip address and forward it on to the masquerade server
• When the traffic returns, iptables rewrites the returning packet with the original IP address it should of had
• Rinse and repeat

The ability to use this for traffic interception has been very useful for monitoring rogue applications or setting up a tarpit to accept anything and log/alert for what you configured in iptables. Yeah yeah you could just block the port or destination, but something like this is for when you want to find out more about what is happening by allowing a conversation to happen. You can even go deeper and configured your masquerade server to be whatever the rogue connection is expecting (http, pop, smtp, dns, etc).

Another great network tool - tcpflow

If you are a frequent packet sniffer like I am, you are usually always looking for better ways to filter through all the crap. Recently I needed to save packet information to files for processing. Using something like wireshark or tcpdump is the norm. Then when you want to reassemble a transaction you have to follow the flow in Wireshark.

The linux command line tool tcpflow does this for you though. When it is initialized with something like this "tcpflow -i eth2 -s host 192.168.1.3", it will look at all transactions involving 192.168.1.3. When a transaction is completed, it will write the full transaction details to a single file. In the case of monitoring an infected machine or looking at file transfers, tcpflow would save the entire file transferred in to a single file. Yay convenience.

Here's a man page for it. Check it out.

Openssl enc algorithm support

On the Openssl DOCUMENTATION, it has rc4-64 listed as being supported (in some version it seems). I had an openssl 1.0.1 version from 2012 loaded in a Ubuntu vm but when I started up openssl enc, it was not listed as supported. I checked for the latest version and the last one was actually released a few days ago (1.0.1.f). So I decided to upgrade. It all went smoothly, but it looks like in the latest release, rc4-64 is still not available. I assume there may be some old and insecure version that supports it, but that makes things kind of annoying that it would be excluded when it's still used.

Adding things up on the cli

Need to add up a column real quick on a linux file? Use awk for a quick add.

Awk will eventually use scientific notation for very large numbers unfortunately.

This is where you can use paste and bc. The command 'paste -sd+' will output the file contents as line1+line2+etc. This is essentially just formatting for input in to bc. Very useful when adding up large numbers in a file.

paste -sd+ | bc

PG&E Malware

This stuff coming in claims to be a bill for PG&E but is of course malware. The link is a one time use link but many of them in general are dead links already. The malware it downloads when it works appears to be related to the Walmart, Costco, Bestbuy, WhatsApp, etc ones that I believe are ties to the Asprox botnet.

Botnet1 and filesplitter

So I have a few botnets running on some test machines and I record, and occasionally go over, their traffic. I noticed this morning one of them was sent a larger than normal file. I pulled the file and noticed it was an exe. This was a little out of the ordinary for this one since the botnet has already established itself on my pc and has been running a while

A quick strings of the file shows something about a program called filesplitter. It appears that software is used for splitting and combining large files. Interesting. I see a few possibilities with this. It may do something similar to Cryptolocker where it will manipulate local files for some reason. Or it could possibly be used to send out personal files to a remote server or even download pieces of files and reassemble them locally. The exe was crashing when I tried to run it directly though. We'll see what happens I guess.

Good Article on Asprox botnet

http://herrcore.blogspot.com/2014/01/inside-new-asproxkuluoz-october-2013.html

This is a pretty good article going over the Asprox botnet. I've started taking a look at the botnet communications and decrypting the traffic live has been proving a challenge.

Edit: Well after some more research I don't feel as dumb. It seems many other are having issues as well after the latest update.

Scan a network for DNS servers and attempt to get a version

I had a case where I needed to mass scan some addresses on a network for any open DNS servers. In my case I just needed to find open port 53 servers and attempt a query for their version type. Adding additional things to this script should be easy though.


#! /bin/bash
# Script for scanning a network for DNS servers
# and then checking for a BIND version on them

#Replace the network with your own. It gets open port 53 hosts in to a variable
ipaddresses=$(nmap -sU -p 53 192.168.1.0/24 | grep -B3 "53\/udp open" | grep "scan report" | awk '{print $5}')

#For those variables, send a BIND version request to it and print it out.
for server in $ipaddresses
do
  version=$(dig @$server version.bind txt ch +short)
    if [[ -z $version ]]
    then
      version=$(echo "Not Found")
    fi
  echo "Server: $server"
  echo "Version: $version"
  echo -e "\n"

done

Useful trick for changing directories in nix

So most people know the basics of the "cd" command.

• It will take a relative path argument (cd directory)
• It will take absolute path arguments (cd /home/mark/directory)
• It will take ".." to move up one directory (cd ..)

In the case where you were previously in a directory not directly above or below you, this can be a pain to get back to where you were. The little known option that will save you is the hyphen argument. This is pretty useful when you are deep in the system and need to get back to where you were. 

$pwd

  /home

$cd /var/log/

$pwd

  /var/log

$cd -

  /home

Bit Flipping for binary strings

I ran in to a case where I needed to flip every bit in a very large binary string. I was searching a lot of places and didn't really find anything easy. Fortunately I was way over thinking it. I decided to just use 3 sed statements.

sed -e 's/0/2/g' -e 's/1/0/g' -e 's/2/1/g'

On that same note, if you have messed up spacing in a binary file for whatever reasons, here is a way to fix the spacing. First sed removes all spaces, second one fixes it so there are 8 digit groupings of the binary.

sed 's/[ ]\+//g' | sed 's/\([01][01][01][01][01][01][01][01]\)\([01][01][01][01][01][01][01][01]\)/\1 \2 /g'