I started seeing these ERROR logs in apache this morning. Somebody is trying to see if a file named “w00tw00t.at.ISC.SANS.DFind” exists on the server or not. A little research revealed, I am not the only one targeted to these attacks but there were others (example: from Webmasterworld, from Sans)

w00tw00t.at.ISC.SANS.DFind logs are the traces of DLink vulnerability scanner which is looking for flaws to exploit and get ‘root’ rights on the server. Unless you have a vulnerability, you are not prone to these attacks. You don’t have to freak out right at this moment but do a little research. I would advise these:

• Check your /public_html/ or /http_docs/ folder to see if those files really exist or not.
• If you have root rights on your server, check the processes running on your server:
  # ps -ef
  If you don’t have the root rights, contact with your hosting company.
• # lsof will show you the open files on the server. If you know for a fact that; sshd, httpd, mysqld,cpanel are running on the server and they are safe. You can try:
  # lsof | egrep -v "(sshd|httpd|mysqld|cpanel)"
  This will quickly reveal the open files on the server and by skimming through the list, you can identify weird names like “./httpd, ./ps, ./w00t”. Then you can find out where those processes are running from and delete them. You need to first delete the process and then kill the process to off load them from memory.
• I would suggest disabling ftp server and any other server that you can not keep up with the updates and not very mission critical.

As far as I can see from my log files, there are different variations of traces of this scanner:
w00tw00t.at.ISC.SANS
w00tw00t.at.ISC.SANS.DFind
w00tw00t.at.ISC.SANS.test0


The full spec looks like this:

[error] [client 216.168.43.234] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

These are the attacker bees that I captured in last 2-3 days:

[error] [client 124.60.128.27] (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)


[error] [client 97.74.120.70] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 128.121.239.210] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 74.7.26.59] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 163.117.157.226] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.test0
[error] [client 91.190.93.141] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 207.210.233.50] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 67.19.254.226] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.test0
[error] [client 61.119.173.150] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 75.127.91.174] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 173.45.84.136] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 216.168.43.234] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind
[error] [client 173.45.84.136] (see RFC2616 section 14.23) /w00tw00t.at.ISC.SANS.DFind


Share This

I was looking for a good value phone company on internet to call my home country and JAJAH’s pricing looked very competitive among others and when I made my first trial (free) call, the voice quality was pretty good. I decided to open an account and added $10 credit to my account.

JAJAH Review

Here is what happened afterwards:

1. JAJAH constantly charges me for the times that even though they have not connected me to other party. From $10, I wasted about $3-4 for missed and not-connected calls. Imagine you are calling somebody 15 cents/minute and right after you are connected to your jajah account, it takes 15 cents from your account. If it rings on the other party and they do not answer the phone (include the time to connect to jajah + jajah makes call to other party + rings on other party) and you end up being charged for 30 cents. Imagine you repeated this once every hour to reach to your friend and after 3 hours, you already spent $1 for zero talk.When I contacted the technical support, they apologized an gave me credit for my lost minutes.
   

   Dear JAJAH user,

   We thank you for your email.

   Whenever there is an actual phone involved (which is always the case when making a JAJAH call) a call termination cost occurs. In those cases JAJAH may bill you for the first minute of calls that cannot be completed at our low rates. The reason for this is charges by the carrier, which JAJAH is unable to subsidize.

   We apologize for the inconvenience and as a courtesy we’ve credited you for these calls.

   Sincerely,
   Brad
   JAJAH Support Team

   I said to myself, these guys have at least good customer service (unlike cheap services like Voipbuster, VoipRaider etc.) I was happy to continue their service but was the issue resolved? NO! I lost couple of dollars after that.

   JAJAH Forum shows others who suffered from the same problem:

   My friend called me few minutes later and told me that Jajah charged his account and 1 of his employees’ account for a phonecalls that were never completed. To be more precise, whenever they called a busy number and hang up their phone, they were charged!!!!
   I tried it myself, calling my “busy” mobile number.. When I heard the busy tone, I hang up the phone and was surprised to see that I was charged with 17 seconds/0.179 euros!!!

   Please note that calls that are not connected or answered will be charged a minimum of one minute at JAJAH’s regular low rates.

   Calls that are busy or not answered are automatically connected to our scheduling service. This feature is provided as a service to our users when the destination number can not be reached. In such cases, the user has the ability to reschedule the call for a later time. These calls will be charged by the minute at JAJAH’s regular low rates.

   Sincerely,
   JAJAH Support Team

   I’ve been using Jajah for over a year now and I won’t be using their service anymore. Last night, they charged my account $15 CAD without my consent. I’ve been using Jajah for over a year and was rather satisfied until lately.

   And last night, they just charged me $15 CAD without my consent. They never charged me without my consent before I never allowed them to automatically bill me.

   Jajah, please stop this shady practice. You used to be good, why ruin it now?

   If a customer service ever wanders this board, please help me. I never allow automatic billing/refill/topup; how come you charged me without my authorization. I felt robbed.

   I am truly amazed! Do you really mean that if I’m trying to call a company’s line that is usually busy, for every effort to talk to them I will be charged with 1 minute??? If I try to call them 10 times and the line is still busy, I will pay for 10 a minutes call even if I was never connected??
   Is this rational? Or even ethical?

2. JAJAH can not connect me to some of the big carriers. My wife went back to my home country and since I did not add any funds to my other VoIP accounts (except JAJAH ) I was helpless and each time I had to reach her, I had to use JAJAH in a rush. However, it failed me relentlessly everytime I tried. Each time I entered her mobile number, JAJAH gives me: Please enter a valid destination number. I tried over and over tirelessly but nope. It is not me or the number I am trying to call, it is JAJAH. Imagine, you have a loved one that you need to reach in an emergency case, you can’t reach her but you need to call the phonebook to reach her.
   

   Please enter a valid destination number.

3. JAJAH “Pre-Call Advertising”: To me, it is just another rip off. When I signed up and opened my account, I realized they are offering this pre-call advertising option. I was like ‘waaw GOOD DEAL’, imagine you are being paid for listening couple of ads for 15-20 sec. before making phone calls. I said, it is no big deal if it saves couple of cents. But it turned out that I was wrong about my judgement.-It takes about 15-20 seconds to listen to advertising with `JAJAH is bringing you TigerDirect ……` goes like that. Once you finish listening, you think you caught the cents NOPE, you need to click on the ADs on their website.-While you are listening to ads, the clock is ticking. So in the end, instead of paying 1 minute zero talk time phone call, you are paying 2 minutes zero talk time phone call.JAJAH “Pre-Call Advertising” quote:
   

   Want to save even more? JAJAH gives you a chance to earn free credit for each call you make. While we are connecting your call, you can choose to listen to a brief advertisement and be rewarded with free credit. Every month, JAJAH will credit your account based on how many advertisements you have heard.

4. JAJAH Local Direct numbers are problematic. their local direct numbers do not work. When I call their 214 direct local number, it tells me, ‘if you are making long distance call, please dial 011′ , I tried all the combinations that I normally can do from any home phone. It seems like it is working at first and says ‘JAJAH is connecting your call’ then a busy dial tone instantly. I tried several times thinking the other party was busy, guess what happened? I lost 15 cents for each trial. When I talk to my brother over IM, he told me, he did not use his cellphone since morning on that day. I ended up loosing about $1 for that too.
5. Last but not least, recently I started hearing a constant noise when I am making phone calls and the voice quality got far worse then my first trial phone call.

I have about 40 cents left in my account from $10 and I have no further plans to add new funds to my account.

JAJAH VoIP Service

1.5
Matt Wilson

2009-05-17
JAJAH is claiming to be very affordable but I found it very wrong when you consider the service as whole.

Share This

I looked everywhere to find Exchange 2007 VHD default password but no luck. If you had downloaded Exchange 2007 with Windows 2003 and you are trying to login, you will get a screen with following inputs, fill out the way I have givenbelow:

Username: Administrator
Password:  Evaluation1
Log on to: LITWAREINC

Package details for Exchange 2007 VHD:

Microsoft Exchange Server 2007 SP1 VHD
This download comes as a pre-configured VHD. It enables you evaluate Microsoft Exchange Server 2007 SP1.

Share This

Google Update software is used to keep Google based applications up-to-date on your system. Google Update keeps track of downloaded softwares (Google Toolbar, Google Earth etc.) and as soon as there is download available, it downloads the update by default. If you are also getting tired of seeing GoogleUpdate.exe running in Windows Task Manager, you have several options.

1. Uninstall Google Updater

   You can follow regular steps of uninstalling software on your windows. Start -> Control Panel -> Add Remove Programs you will see “Google Updater” listed in Add Remove Programs window and click on Remove. Although this is the cleanest method,it is not the permanent solution. Next time you would like to download a Google Software, Google Updater will be installed automatically and you will end up dealing with same crap.
   

   With this step, you will uninstall Google Update Software.

2. Remove Google Updater from Scheduled Tasks

   Although Google claims to be “angle” and “not being any devil”, it really acts like one when it comes to Desktop Software. They are very persistent to keep running Google Update, Google Notifier and other Google software applications in the background of every Windows user. You will see one example of it with Google Update. As soon as you install Google Update software, it adds itself to Scheduled Tasks and unless you are a pro user of some kind, you will not realize this. You can check more details of this argument on “Why Google’s Software Update Tool is Evil“.

   Here are a few reasons why an always-active daemon (software speak for a tiny app that runs in the background) for handling software updates is a bad idea:

   1. It opens up an always-on tunnel to Google. While Google may be confident its update servers will never be compromised, how confident are you? If a third party gains control of that server, it can inject nearly any code it wants into your machine.
   2. It’s always on, always looking for update. On an expensive, pay-by-the-megabyte EVDO network? Google Updater doesn’t care and will suck down any available updates without asking, costing you money.
   3. Google updates Google Earth or Picasa or Gtalk, but the update ends up having a bug that wipes data from your drive. Sorry, too late — the auto-updater already grabbed the latest version without asking. Kiss your data goodbye.
   4. Administering a large network that needs to be locked down and tightly controlled? Cross Google software off your list. All the above problems apply, but they’re cascaded across your network for added headaches.

   In order to remove Google Update keep running in the background, you can go under Scheduled Tasks by; Start -> Programs -> Accessories -> Systems Tools -> Scheduled Tasks

   You should remove all Google Update tasks on this window.

   

Share This

When you are trying to get hardware details for Linux machines, it seems very challenging at first but you have variety options and it is quiet easy. Some includes using custom scripts and existing resource folders(ex: dmesg, /proc) or by some applications like hwinfo and lshw.

In this article we will mention about different methods to get the hardware details from your Linux OS. These tips are mainly for Redhat, Suse and Debian and different distros might include little or more details for the hardware depending on the kernel levels.

1- Hardware Details on Linux using custom script:

This script will get almost everything you would need using existing messages or applications and give you a brief output.

It uses dmesg to get Memory Information
lspci for displaying information about all PCI buses in the system and all devices connected to them. By default, it shows a brief list of devices.
/proc/cpuinfo for CPU information (including cpu model, modelname (AMD Opteron(tm) Processor), Mhz (1992 Mhz)
fdisk -l –> For Hard drive and partition information
rpm -qa for the release info (mainly for Redhat) so you can remove this line for other distros.
/etc/*-release to get the Linux distro
uname -a to get the Linux Kernel level

#!/usr/bin/sh
rm  /tmp/outputecho "/n PCI info /n" >  /tmp/output
lspci >> /tmp/output
echo "/n Memory info /n" >>  /tmp/output /tmp/output
dmesg | grep -i memory >>  /tmp/output
echo "/n CPU info /n" >> /tmp/output
cat /proc/cpuinfo  /n" >>  /tmp/output
echo " HDD info /n" >>  /tmp/output
fdisk -l >>  /tmp/output
echo "/n " >>  /tmp/output
fdisk -l /dev/sdb* >> /tmp/output
echo "/n" >>  /tmp/output
fdisk -l /dev/hda* >> /tmp/output
echo "/n  Package info /n" >>  /tmp/output
rpm -qa >> /tmp/output
echo "/n Relese info /n" >> /tmp/output
cat /etc/*-release >> /tmp/output
echo "/n platform info /n" >> /tmp/output
uname -a >> /tmp/output

2- Hardware Details on Linux using tools (hwinfo, lshw):

There are different tools for different distros that you can use to get the hardware details.

On Suse, you can use: # hwinfo

You could hwinfo for Debians (apt-get hwinfo) very quickly too. It is very handy.
# hwinfo –short will give you a brief summary of your hardware

# hwinfo --short
cpu:
AMD Opteron(tm) Processor 246, 1992 MHz
AMD Opteron(tm) Processor 246, 1992 MHz
monitor:
Generic Monitor
graphics card:
ATI Rage XL
storage:
Floppy disk controller
AMD-8111 IDE
Silicon Image SiI 3114 SATALink Controller
network:
eth2                 Intel EtherExpress PRO/100 S Server Adapter
eth0                 Broadcom NetXtreme BCM5704 Gigabit Ethernet
eth1                 Broadcom NetXtreme BCM5704 Gigabit Ethernet
network interface:
lo                   Loopback network interface
eth0                 Ethernet network interface
eth1                 Ethernet network interface
eth2                 Ethernet network interface

On Debian, you can use: # lshw

# lshw -short will generate a summary output of your hardware list in a organized fashion.

H/W path            Device      Class      Description
======================================================
system     PowerEdge 1950
/0                              bus        0TT740
/0/0                            memory     64KiB BIOS
/0/400                          processor  Intel(R) Xeon(R) CPU           E5405  @ 2.00GHz
/0/400/700                      memory     128KiB L1 cache
/0/400/701                      memory     12MiB L2 cache
/0/400/702                      memory     L3 cache
/0/401                          processor  Intel(R) Xeon(R) CPU           E5405  @ 2.00GHz
/0/401/703                      memory     128KiB L1 cache
/0/401/704                      memory     12MiB L2 cache
/0/401/705                      memory     L3 cache
/0/1000                         memory     8GiB System Memory

3- Hardware Details on Linux using /proc folder:
You can get as many details as you like by just going under /proc folder and showing the contents of files. (# more meminfo)

# more meminfo
MemTotal:      8186420 kB
MemFree:         56572 kB
Buffers:        166008 kB
Cached:        4887080 kB
SwapCached:         12 kB
Active:        2886576 kB
Inactive:      4722968 kB
SwapTotal:     7807580 kB
SwapFree:      7807548 kB
Dirty:             220 kB
Writeback:           0 kB
AnonPages:     2556436 kB
Mapped:          35064 kB
Slab:           453328 kB
SReclaimable:   422408 kB
SUnreclaim:      30920 kB
PageTables:      11848 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:  11900788 kB
Committed_AS:  4229312 kB
VmallocTotal: 34359738367 kB
VmallocUsed:     27880 kB
VmallocChunk: 34359710403 kB
HugePages_Total:     0
HugePages_Free:      0
HugePages_Rsvd:      0
HugePages_Surp:      0
Hugepagesize:     2048 kB

4- Listing DMI Table with dmidecode and USB devices with lsusb:

Another very effective and powerful tool is # dmidecode. dmidecode is a tool for dumping a computers DMI (some say SMBIOS) table contents in a human-readable format. This table contains a description of the systems hardware components, as well as other useful pieces of information such as serial numbers and BIOS revision.

# lsusb is the tool to show the devices attached to USB port even more.

if you use only # lsusb it will list the ports and what’s attached to it. If you use, lsusb with -v (verbose) you will get tons of info about USB ports.

# lsusb -v

Bus 002 Device 001: ID 0000:0000
Device Descriptor:
bLength                18
bDescriptorType         1
bcdUSB               1.10
bDeviceClass            9 Hub
bDeviceSubClass         0 Unused
bDeviceProtocol         0 Full speed hub
bMaxPacketSize0        64
idVendor           0x0000
idProduct          0x0000
bcdDevice            2.06
iManufacturer           3 Linux 2.6.18.2-34-default ohci_hcd
iProduct                2 OHCI Host Controller
iSerial                 1 0000:03:00.1
bNumConfigurations      1
Configuration Descriptor:
bLength                 9
bDescriptorType         2
wTotalLength           25
bNumInterfaces          1
bConfigurationValue     1
iConfiguration          0
bmAttributes         0xe0
Self Powered
Remote Wakeup
MaxPower                0mA
Interface Descriptor:
bLength                 9
bDescriptorType         4
bInterfaceNumber        0
bAlternateSetting       0
bNumEndpoints           1
bInterfaceClass         9 Hub
bInterfaceSubClass      0 Unused
bInterfaceProtocol      0 Full speed hub
iInterface              0
Endpoint Descriptor:
bLength                 7
bDescriptorType         5
bEndpointAddress     0x81  EP 1 IN
bmAttributes            3
Transfer Type            Interrupt
Synch Type               None
Usage Type               Data
wMaxPacketSize     0x0002  1x 2 bytes
bInterval             255

Share This