MoonPoint Support Logo


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals

Advanced Search
Sun Mon Tue Wed Thu Fri Sat

Sat, Dec 31, 2016 6:21 pm

Using netstat to determine the process that is using a network port under Linux

While troubleshooting an isuue on a CentOS server, which functions as a web server, I used the tcpdump utility to monitor network traffic to and from the web server. I used the tcpdump command tcpdump -i enp1s4 -vvv port 80 to observe traffic on network interface enp1s4, which was the Local Area Network (LAN) interface, and only on port 80, the well-known port for HTTP traffic. Amidst the expected traffic I also saw HTTP connectivity from the server on which I was performing the troublehshooting to another web server, which seemed odd, since it wasn't immediately apparent to me why the server I was troubleshooting was connecting to that other web server at IP address

15:12:46.491073 IP (tos 0x0, ttl 64, id 21907, offset 0, flags [DF], proto TCP (
6), length 52) > Flags [F.], cksum 0x26b7 (incorrect
 -> 0x2738), seq 3599572683, ack 3802137359, win 115, options [nop,nop,TS val 28
33407685 ecr 423340583], length 0
15:12:46.515987 IP (tos 0x0, ttl 54, id 31318, offset 0, flags [none], proto TCP
 (6), length 52) > Flags [F.], cksum 0x13c6 (correct),
 seq 1, ack 1, win 114, options [nop,nop,TS val 423345561 ecr 2833407685], lengt
h 0
15:12:46.516052 IP (tos 0x0, ttl 64, id 21908, offset 0, flags [DF], proto TCP (
6), length 52) > Flags [.], cksum 0x26b7 (incorre
ct -> 0x13ac), seq 1, ack 2, win 115, options [nop,nop,TS val 2833407710 ecr 423
345561], length 0

[ More Info ]

[/os/unix/commands] permanent link

Fri, Dec 30, 2016 7:45 pm

SSH break-in attempts from IP addresses

Yesterday, while using the free and open source packet analyzer software Wireshark to observe network traffic reaching a router, I had set a packet filter in Wireshark to filter on Internet Control Message Protocol (ICMP) traffic. I saw a lot of unexpected ICMP "port unreachable" packets coming from a server behind the router headed outbound to the Internet to the IP address

Internet Control Message Protocol
Type: 3 (Destination unreachable) Code: 3 (port unreachable) Checksum: 0xa821 [correct] [Checksum Status: Good] Unused: 00000000

ICMP destination unreachable packets are "generated by the host or its inbound gateway to inform the client that the destination is unreachable for some reason." There is a "code" field that follows the "type" field in an ICMP packet. If the code is 3, then it indicates a port unreachable error (the designated protocol is unable to inform the host of the incoming message). When I checked the destination port at the server end, I saw it was 22, which is the well-known port for the Secure Shell (SSH) protocol.

[ More Info ]

[/security/attacks/ssh] permanent link

Thu, Dec 29, 2016 10:38 pm

Setting up a Family Library for a Kindle Fire HD 10

My wife usually reads at night using her Amazon Kindle before going to sleep. Recently, however, she experienced problems charging the Kindle. We looked at new Kindles, including the Kindle Fire HD 10 Tablet1px x 1px That Kindle is larger than her prior Kindle, but she was impressed with how light it is and felt that she could read comfortably at night in bed with it, so we ordered that one online; it arrived today. When I purchased our first Kindle, the first one offerred, we shared the Kindle. Eventually I bought her a Kindle of her own and then later we purchased a new third Kindle for her, but since Amazon didn't offer a means to transfer books from one family member to another, we didn't have a mechanism for transferring her books from the first and second Kindles to her latest Kindle, if we created a second account just for her, so she would see my books if she looked for books we'd purchased to download to her Kindle and I'd see recommendations refelecting her reading tastes when I logged into my account. It was annoying that Amazon didn't previously provide a means for us to separate our Kindle ebooks, but when the new Kindle arrived today, I decided I'd check to see if they now did offer an option for family members to share or transfer books, since it had probably been at least a year since I'd last checked. Happily, I found that Amazon now offers a "Family Library" option that allows adult family members to share books with one another, which would allow me to create a new Amazon account for her and share the books she'd already purchased under my original account to her new account.

[ More Info ]

[/ebook/kindle] permanent link

Sat, Dec 24, 2016 4:32 pm

Remove a site's cookies from Firefox

The following steps can be taken to remove the cookies associated with a particular website in the Firefox browser. Note: these steps were taken on Firefox 50.0.2 on a Microsoft Windows 10 system, but should be applicable to other versions as well.
  1. Click on the 3 horizontal bars at the upper, right-hand corner of the Firefox Window.
  2. Click on Options.
  3. In the about:preferences window, click on Privacy.
  4. Under the History setion of the Privacy window, click on "remove individual cookies".
  5. In the Cookies window, scroll down to you find the relevant site.
  6. Click on the relevant site to select it, then click on the Remove Selected button.

[ More Info ]

[/network/web/browser/firefox] permanent link

Sat, Dec 17, 2016 10:06 pm

Searching browsing history for a specified period with BrowsingHistoryView

I performed a malware scan of a system with McAfee Total Protect on 2016-12-14 which found malware that was apparently placed on the system on December 8, 2016. Since BrowsingHistoryView from Nir Sofer provides a means to examine the browsing history stored on a system for many browsers, I installed it on the system - the installation process consists of simply extracting the files contained in the zip file you can download from the NirSoft website - in an attempt to determine the source for the malware. I thought there might be an entry in the browsing history for a time near the time stamp on the malware file that would reveal a website from which it might have been downloaded. BrowsingHistoryView allows one to view the browsing history for the following browsers:

[ More Info ]

[/os/windows/software/network/web/BrowsingHistoryView] permanent link

Sat, Dec 17, 2016 9:45 pm

SUPERAntiSpyware detected Search Protection

I ran a scan for malware on a Microsoft Windows 10 system using SUPERAntiSpyware, an anti-spyware program that is available as a free version, today. I ran a scan of another Windows 10 system at the same location using SUPERAntiSpyware a few days ago after the user of that system reported performance problems on her system. The other user told me that the user of the system I scanned today was also experiencing problems with her system. SUPERAntiSpyware reported "1 Item Found" on the system I scanned today. It reported that it found an application Search Protection:

Search Protection is a program that may display advertisements and is bundled with other potentially unwanted programs.

It identified the following Windows registry key as suspicious:


[ More Info ]

[/security/scans/20161217] permanent link

Fri, Dec 16, 2016 11:02 pm

Changing the Windows 10 proxy server settings

You can view or change the proxy server settings for a Microsoft Windows 10 system by using the Microsoft Edge browser to manage the proxy server settings or you can do it from a command line interface (CLI), i.e., a command prompt, using the reg command. To determine whether the system is currently configured to use a proxy server, you can use the reg query command below.

C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyEnable    REG_DWORD    0x0


The 0x0 represents hexadecimal value zero and that value indicates the system is not currently configured to use a proxy server. A value of one, i.e., 0x1, indicates it is currently configured to use a proxy server.

Even if the value is 0, you can determine if a proxy server had previously been set that will be used again if you set the value to 1 by using the reg query command below.

C:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    ProxyServer    REG_SZ    socks=


In the example above, if the value is set to 1, i.e., the system is reconfigured to use a proxy server, a SOCKS proxy server will be used that is listening on the localhost address, i.e., on the SOCKS proxy registered port, i.e., TCP port 1080. E.g., a SOCKS proxy could be set up with PuTTY, a free Secure Shell (SSH) client program.

To enable a proxy server, a reg add command can be used as shown below.

C:\>reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
The operation completed successfully.


In the example above, since the proxy server setting was set to be a SOCKS proxy, any browser, such as Edge or Firefox, if it was configured to use the system wide proxy settings, would now route web traffic through the proxy server.


  1. Checking Microsoft Windows proxy server settings
    Created: Wednesday January 7, 2015
    Last modified: Saturday June 27, 2015
    MoonPoint Support
  2. Finding the proxy setting for Firefox from a command line
    Created: Saturday November 15, 2014
    Last modified: Sunday November 16, 2014
    MoonPoint Support

[/os/windows/win10] permanent link

Thu, Dec 15, 2016 10:25 pm

Locating an OS X window that is no longer visible

I started the installation of a program on a MacBook Pro laptop running OS X Yosemite (10.10.5), but then switched to a Terminal window. When I wanted to switch back to the installation window I could no longer find it in the OS X dock at the bottom of the screen, nor could I see it by cycling through open windows with the Command-Tab keys, nor did I see it when I clicked on the Apple icon at the upper, left-hand corner of the screen and looked for it under Force Quit. When I tried to restart the installation by clicking on the Apple Disk Image .dmg file, nothing appeared to happen. I was able to find the invisible window by hitting the F3 function key on the keyboard, though. I could then see the hidden DiskImages UI Agent window that I hadn't been able to locate previously. I was able to click on it and bring it to the foreground where I could proceed with the installation.

[ More Info ]

[/os/os-x] permanent link

Wed, Dec 14, 2016 11:04 pm

Malware scan of a Windows 10 system with McAfee Total Protect on 2016-12-14

I ran a malware scan of a Microsoft Windows 10 system yesterday after the user of the system reported that she was having problems with QuickBooks and Internet Explorer on the system and that the system had been performing poorly for some time. SUPERAntiSpyware detected Cartwheel Shopping, et al. potentially unwanted software on the system. I had SUPERAntispyware remove everything it detected, but this evening decided to also run a scan of the system with the antivirus software, McAfee Total Protection, which has been on the system since it was purchased. That antivirus software reported it detected two items. The two items detected were Adware-DealPly and PUP-XAO-ME.

[ More Info ]

[/security/scans] permanent link

Tue, Dec 13, 2016 10:24 pm

SUPERAntiSpyware detected Cartwheel Shopping, et al.

A user reported that she was having a lot of problems with her Windows 10 PC, including performance issues and problems with the Internet Explorer web browser. When I logged into an administrator account and scanned the system with SUPERAntiSpyware, an anti-spyware program that is available as a free edition, it detected Cartwheel Shopping, which it noted "is a program that may display advertisements and is bundled with other potentially unwanted programs."

[ More Info ]

[/security/scans] permanent link

Mon, Dec 12, 2016 8:22 am

Converting man pages to HTML files with man2html

When I want to convert man pages to HTML files, I usually employ the groff utility. E.g., I can locate the modifyrepo man page with the find command and then cut and paste the location of the man page file after the cat command or use command substitution to take the output from the find command as input to the cat command. I then pipe the output into the groff command. But sometimes that method doesn't produce clean HTML code. An alternative means of producing an HTML file from a man page is with the man2html utility.

[ More Info ]

[/os/unix/programs/utilities] permanent link

Sun, Dec 11, 2016 9:19 pm

Changing the time for a Windows 10 automatic restart

When an automatic reboot has been scheduled for a Microsoft Windows 10 system after an operating system (OS) update, you will be warned that the system will be rebooted. The system shouldn't be rebooted while you are actively using it, but it could reboot after you've stepped away from the system temporarily for a short time when the OS deems the system is idle, if the time is outside what the OS considers the "active hours" for the system, i.e., the hours you would be expected to be using it normally. Windows view of what are "active hours" may be different than your view, however. You can check on what hours it deems to be the "active ones" for your PC and change the time it is scheduled to reboot automatically by bringing up the Windows Update settings window by the following steps.

[ More Info ]

[/os/windows/win10] permanent link

Sat, Dec 10, 2016 8:25 pm

tcpdump bad udp cksum 0x431e message

While troubleshooting a problem with Domain Name System (DNS) lookups on a CentOS 7 system, I ran tcpdump using the -vv option to get very verbose output. The output from tcpdump showed many "bad udp cksum 0x431b" messages.

# tcpdump -i enp1s4 -vv port 53
tcpdump: listening on enp1s4, link-type EN10MB (Ethernet), capture size 65535 by
15:04:44.432784 IP (tos 0x0, ttl 64, id 18564, offset 0, flags [DF], proto UDP (
17), length 75) > [bad udp cksum 0x431e -> 0x9f9d
!] 29085+ A? (47)
15:04:44.433856 IP (tos 0x0, ttl 64, id 21529, offset 0, flags [DF], proto UDP (
17), length 73)

As explained at UDP / TCP Checksum errors from tcpdump & NIC Hardware Offloading by Sokratis Galiatsis "This is caused because you have checksum offloading on your network card (NIC) and tcpdump reads IP packets from the Linux kernel right before the actual checksum takes place in the NIC’s chipset. That’s why you only see errors in tcpdump and your network traffic works ok."

[ More Info ]

[/os/unix/programs/network/tcpdump] permanent link

Wed, Dec 07, 2016 11:27 pm

Show all drives from Windows command prompt

If you need to obtain a list of all disk drives on a Microsoft Windows system from a command line interface (CLI), e.g., a command prompt window, you can do so using Windows Management Instrumentation Command-line (WMIC). You can obtain a list of drives by opening a command prompt window and then issuing a wmic logicaldisk get command followed by parameters relevant to the information you wish to see. You can see a list of parameter options by issuing the command wmic logicaldisk get /?.

C:\>wmic logicaldisk get /?

Property get operations.

GET [<property list>] [<get switches>]
NOTE: <property list> ::= <property name> | <property name>,  <property list>

The following properties are available:
Property                                Type                    Operation
========                                ====                    =========
Access                                  N/A                     N/A
Availability                            N/A                     N/A
BlockSize                               N/A                     N/A
Caption                                 N/A                     N/A
Compressed                              N/A                     N/A
ConfigManagerErrorCode                  N/A                     N/A
ConfigManagerUserConfig                 N/A                     N/A
Description                             N/A                     N/A
DeviceID                                N/A                     N/A
DriveType                               N/A                     N/A
ErrorCleared                            N/A                     N/A
ErrorDescription                        N/A                     N/A
ErrorMethodology                        N/A                     N/A
FileSystem                              N/A                     N/A
FreeSpace                               N/A                     N/A
InstallDate                             N/A                     N/A
LastErrorCode                           N/A                     N/A
MaximumComponentLength                  N/A                     N/A
MediaType                               N/A                     N/A
Name                                    N/A                     N/A
NumberOfBlocks                          N/A                     N/A
PNPDeviceID                             N/A                     N/A
PowerManagementCapabilities             N/A                     N/A
PowerManagementSupported                N/A                     N/A
ProviderName                            N/A                     N/A
Purpose                                 N/A                     N/A
QuotasDisabled                          N/A                     N/A
QuotasIncomplete                        N/A                     N/A
QuotasRebuilding                        N/A                     N/A
Size                                    N/A                     N/A
Status                                  N/A                     N/A
StatusInfo                              N/A                     N/A
SupportsDiskQuotas                      N/A                     N/A
SupportsFileBasedCompression            N/A                     N/A
VolumeName                              N/A                     N/A
VolumeSerialNumber                      N/A                     N/A

The following GET switches are available:

/VALUE                       - Return value.
/ALL(default)                - Return the data and metadata for the attribute.
/TRANSLATE:<table name>      - Translate output via values from <table name>.
/EVERY:<interval> [/REPEAT:<repeat count>] - Returns value every (X interval) seconds, If /REPEAT specified the command is executed <repeat count> times.
/FORMAT:<format specifier>   - Keyword/XSL filename to process the XML results.

NOTE: Order of /TRANSLATE and /FORMAT switches influences the appearance of output.
Case1: If /TRANSLATE precedes /FORMAT, then translation of results will be followed by formatting.
Case2: If /TRANSLATE succeeds /FORMAT, then translation of the formatted results will be done.


For example, the results from issuing the command on a Windows 10 system to display the device ID, volume name, and description are shown below:

C:\>wmic logicaldisk get deviceid, volumename, description
Description       DeviceID  VolumeName
Local Fixed Disk  C:        OS
CD-ROM Disc       D:
CD-ROM Disc       E:
Removable Disk    F:        EMTEC


[ More Info ]

[/os/windows/commands/wmic] permanent link

Sat, Dec 03, 2016 11:02 pm

Large number of procmail processes and failing POP3 connections

I was notified by a user that she was not able to check her email. After verifying that I could successfully establish a Telnet connection to the Simple Mail Transfer Protocol (SMTP) port, i.e., well-known port 25, which her system would use for sending email, I then tried establishing a Post Office Protocol version 3 (POP3) connection to the mail server from an external Microsoft Windows system, using Microsoft's telnet client. But that got stuck at "connecting to".
Microsoft Telnet> open 110
Connecting To

So I logged into the mail server, which is a CentOS 7 Linux server running Sendmail and Dovecot, and tried connecting to the localhost address,, but Dovecot never responded with a banner, nor did I receive any response when I issued a user command to provide login credentials. I had to hit Ctrl-] to exit from the Telnet program, since I wasn't getting any response from Dovecot.

# telnet 110
Connected to
Escape character is '^]'.
user lila
telnet> quit
Connection closed.

[ More Info ]

[/network/email/dovecot] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo