Sat, Dec 31, 2016 6:21 pm
Using netstat to determine the process that is using a network port under Linux
While troubleshooting an isuue on a
CentOS server,
which functions as a web server, I used the
tcpdump
utility to monitor network traffic to and from the web server. I used the
tcpdump command
tcpdump -i enp1s4 -vvv port 80 to observe traffic on network
interface enp1s4, which was the
Local Area Network
(LAN) interface, and only on port 80, the
well-known port for
HTTP traffic. Amidst the expected traffic
I also saw HTTP connectivity from the server on which I was performing the
troublehshooting to another web server, which seemed odd, since it wasn't
immediately apparent to me why the server I was troubleshooting was connecting
to that other web server at IP address 8.247.90.236.
15:12:46.491073 IP (tos 0x0, ttl 64, id 21907, offset 0, flags [DF], proto TCP (
6), length 52)
moonpoint.com.33309 > 8.247.90.236.http: Flags [F.], cksum 0x26b7 (incorrect
-> 0x2738), seq 3599572683, ack 3802137359, win 115, options [nop,nop,TS val 28
33407685 ecr 423340583], length 0
15:12:46.515987 IP (tos 0x0, ttl 54, id 31318, offset 0, flags [none], proto TCP
(6), length 52)
8.247.90.236.http > moonpoint.com.33309: Flags [F.], cksum 0x13c6 (correct),
seq 1, ack 1, win 114, options [nop,nop,TS val 423345561 ecr 2833407685], lengt
h 0
15:12:46.516052 IP (tos 0x0, ttl 64, id 21908, offset 0, flags [DF], proto TCP (
6), length 52)
moonpoint.com.33309 > 8.247.90.236.http: Flags [.], cksum 0x26b7 (incorre
ct -> 0x13ac), seq 1, ack 2, win 115, options [nop,nop,TS val 2833407710 ecr 423
345561], length 0
[ More Info ]
[/os/unix/commands]
permanent link
Fri, Dec 30, 2016 7:45 pm
SSH break-in attempts from 116.31.116.xxx IP addresses
Yesterday, while using the
free and open source
packet
analyzer software
Wireshark to observe network traffic reaching a router, I had
set a packet filter in Wireshark to filter on
Internet Control Message Protocol (ICMP) traffic. I saw
a lot of unexpected ICMP "port unreachable" packets coming from a
server behind the router headed outbound to the Internet to the
IP address
116.31.116.41.
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (port unreachable)
Checksum: 0xa821 [correct]
[Checksum Status: Good]
Unused: 00000000
ICMP
destination unreachable packets are "generated by the host or its
inbound gateway to inform the client that the destination is unreachable
for some reason." There is a "code" field that follows the "type" field in an
ICMP packet. If the code is 3, then it indicates a port unreachable error
(the designated protocol is unable to inform the host of the incoming
message). When I checked the destination port at the server end, I saw it was
22, which is the
well-known port for the Secure
Shell (SSH) protocol.
[ More Info ]
[/security/attacks/ssh]
permanent link
Thu, Dec 29, 2016 10:38 pm
Setting up a Family Library for a Kindle Fire HD 10
My wife usually reads at night using her Amazon Kindle before going to sleep.
Recently, however, she experienced problems charging the Kindle. We looked
at new Kindles, including the
Kindle Fire HD 10 Tablet That Kindle is larger
than her prior Kindle, but she was impressed with how light it is and felt that
she could read comfortably at night in bed with it, so we ordered that one
online; it arrived today. When I purchased our first Kindle, the first one
offerred, we shared the Kindle. Eventually I bought her a Kindle of her own and
then later we purchased a new third Kindle for her, but since Amazon didn't
offer a means to transfer books from one family member to another, we didn't
have a mechanism for transferring her books from the first and second Kindles to
her latest Kindle, if we created a second account just for her, so she would
see my books if she looked for books we'd purchased to download to her Kindle
and I'd see recommendations refelecting her reading tastes when I logged into
my account. It was annoying that Amazon didn't previously provide a means for
us to separate our Kindle ebooks, but when the new Kindle arrived today, I
decided I'd check to see if they now did offer an option for family members
to share or transfer books, since it had probably been at least a year since
I'd last checked. Happily, I found that Amazon now offers a "Family Library"
option that allows adult family members to share books with one another,
which would allow me to create a new Amazon account for her and share the
books she'd already purchased under my original account to her new account.
[ More Info ]
[/ebook/kindle]
permanent link
Sat, Dec 24, 2016 4:32 pm
Remove a site's cookies from Firefox
The following steps can be taken to remove the cookies associated with a
particular website in the Firefox browser. Note: these steps were taken on
Firefox 50.0.2 on a Microsoft Windows 10 system, but should be applicable to
other versions as well.
-
Click on the 3 horizontal bars at the upper, right-hand corner of the Firefox
Window.
- Click on Options.
-
In the about:preferences window, click on Privacy.
-
Under the History setion of the Privacy window, click on
"remove individual cookies".
-
In the Cookies window, scroll down to you find the relevant site.
-
Click on the relevant site to select it, then click on the Remove Selected
button.
[ More Info ]
[/network/web/browser/firefox]
permanent link
Sat, Dec 17, 2016 10:06 pm
Searching browsing history for a specified period with BrowsingHistoryView
I performed a
malware scan of a system with McAfee Total
Protect on 2016-12-14 which found malware that was apparently placed on the
system on December 8, 2016. Since
BrowsingHistoryView from
Nir Sofer provides
a means to examine the browsing history stored on a system for many browsers,
I installed it on the system - the installation process consists of simply
extracting the files contained in the zip file you can download from the
NirSoft website - in an attempt to determine
the source for the malware. I thought there might be an entry in the browsing
history for a time near the time stamp on the malware file that would reveal
a website from which it might have been downloaded. BrowsingHistoryView
allows one to view the browsing history for the following browsers:
- Chrome
- Chrome Canary
- Firefox
- Microsoft Internet Explorer
- Microsoft Edge
- Opera
- Safari
- SeaMonkey
- Vivaldi
- Yandex
[ More Info ]
[/os/windows/software/network/web/BrowsingHistoryView]
permanent link
Sat, Dec 17, 2016 9:45 pm
SUPERAntiSpyware detected Search Protection
I ran a scan for malware on a Microsoft Windows 10 system using
SUPERAntiSpyware,
an anti-spyware program that is available as a free version, today. I ran
a scan of another Windows 10 system
at the same location using SUPERAntiSpyware a few days ago after the user of
that system reported performance problems on her system. The other user told
me that the user of the system I scanned today was also experiencing problems
with her system. SUPERAntiSpyware reported "1 Item Found" on the system I
scanned today. It reported that it found an application
Search
Protection:
Search Protection is a program that may display advertisements and is bundled
with other potentially unwanted programs.
It identified the following Windows registry key as suspicious:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SearchProtectionService
[ More Info ]
[/security/scans/20161217]
permanent link
Fri, Dec 16, 2016 11:02 pm
Changing the Windows 10 proxy server settings
You can view or change the
proxy server settings for a Microsoft Windows 10 system by
using the Microsoft Edge
browser to manage the proxy server settings or you can do it from a
command line interface (CLI), i.e., a
command prompt, using the
reg
command. To
determine whether the system is currently configured to use a proxy server,
you can use the
reg query
command below.
C:\> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable REG_DWORD 0x0
C:\>
The 0x0
represents
hexadecimal value zero and that value indicates the system is not currently
configured to use a proxy server. A value of one, i.e., 0x1
,
indicates it is currently configured to use a proxy server.
Even if the value is 0, you can determine if a proxy server had previously
been set that will be used again if you set the value to 1 by using the
reg query
command below.
C:\>reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer REG_SZ socks=127.0.0.1:1080
C:\>
In the example above, if the value is set to 1, i.e., the system is
reconfigured to use a proxy server, a
SOCKS proxy server will
be used that is listening on the
localhost address,
i.e., 127.0.0.1
on the SOCKS proxy
registered port,
i.e., TCP port 1080. E.g., a
SOCKS proxy could be set up with PuTTY, a free
Secure Shell (SSH)
client program.
To enable a proxy server, a reg
add command can be used as shown below.
C:\>reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
The operation completed successfully.
C:\>
In the example above, since the proxy server setting was set to be a
SOCKS proxy, any browser, such as Edge or
Firefox, if it was
configured to use the system wide proxy settings, would now route web traffic
through the proxy server.
Related:
-
Checking Microsoft Windows proxy server settings
Created: Wednesday January 7, 2015
Last modified: Saturday June 27, 2015
MoonPoint Support
-
Finding the proxy setting for Firefox from a command line
Created: Saturday November 15, 2014
Last modified: Sunday November 16, 2014
MoonPoint Support
[/os/windows/win10]
permanent link
Thu, Dec 15, 2016 10:25 pm
Locating an OS X window that is no longer visible
I started the installation of a program on a MacBook Pro laptop running
OS X
Yosemite (10.10.5), but then switched to a
Terminal window. When I wanted to switch back to the installation window
I could no longer find it in the
OS X
dock at the bottom of the screen, nor could I see it by cycling through open
windows with the
Command-Tab keys, nor did I see it when I clicked on
the Apple icon at the upper, left-hand corner of the screen and looked for it
under
Force Quit. When I tried to restart the installation by
clicking on the
Apple Disk Image .dmg file, nothing appeared to happen.
I was able to find the invisible window by hitting the
F3 function
key on the keyboard, though.
I could then see the hidden
DiskImages UI Agent window that I hadn't
been able to locate previously. I was able to click on it and bring it
to the foreground where I could proceed with the installation.
[ More Info ]
[/os/os-x]
permanent link
Wed, Dec 14, 2016 11:04 pm
Malware scan of a Windows 10 system with McAfee Total Protect on 2016-12-14
I ran a malware scan of a Microsoft Windows 10 system yesterday after the
user of the system reported that she was having problems with
QuickBooks
and
Internet Explorer on the system and that the system had been performing
poorly for some time.
SUPERAntiSpyware
detected Cartwheel Shopping, et al. potentially unwanted software on the
system. I had SUPERAntispyware remove everything it detected, but this evening
decided to also run a scan of the system with the antivirus software, McAfee
Total Protection, which has been on the system since it was purchased. That
antivirus software reported it detected two items.
The two items detected were
Adware-DealPly and PUP-XAO-ME.
[ More Info ]
[/security/scans]
permanent link
Tue, Dec 13, 2016 10:24 pm
SUPERAntiSpyware detected Cartwheel Shopping, et al.
A user reported that she was having a lot of problems with her Windows 10 PC,
including performance issues and problems with the
Internet Explorer web browser. When I logged into an administrator account
and scanned the system with
SUPERAntiSpyware, an
anti-
spyware
program that is available as a free edition, it detected
Cartwheel
Shopping, which it noted "is a program that may display advertisements and
is bundled with other potentially unwanted programs."
[ More Info ]
[/security/scans]
permanent link
Mon, Dec 12, 2016 8:22 am
Converting man pages to HTML files with man2html
When I want to convert
man pages to
HTML files,
I usually employ the
groff utility. E.g., I can locate the
modifyrepo man page
with the
find command and
then cut and paste the location of the man page file after the
cat command or use
command substitution to take the
output from the find command as input to the cat command. I then
pipe
the output into the
groff command. But sometimes that method doesn't produce clean HTML
code. An alternative means of producing an HTML file from a man page is with
the man2html utility.
[ More Info ]
[/os/unix/programs/utilities]
permanent link
Sun, Dec 11, 2016 9:19 pm
Changing the time for a Windows 10 automatic restart
When an automatic reboot has been scheduled for a Microsoft Windows 10 system
after an
operating system (OS) update, you will be warned that the
system will be rebooted. The system shouldn't be rebooted while you are actively
using it, but it could reboot after you've stepped away from the system
temporarily for a short time when the OS deems the system is idle, if the
time is outside what the OS considers the "active hours" for the system, i.e.,
the hours you would be expected to be using it normally. Windows view of what
are "active hours" may be different than your view, however. You can check on
what hours it deems to be the "active ones" for your
PC
and change the time it is scheduled to reboot automatically by bringing up the
Windows Update settings window by the following steps.
[ More Info ]
[/os/windows/win10]
permanent link
Sat, Dec 10, 2016 8:25 pm
tcpdump bad udp cksum 0x431e message
While troubleshooting a problem with
Domain Name System (DNS) lookups on a
CentOS 7
system, I ran
tcpdump using the
-vv
option to get very verbose output. The
output from tcpdump showed many "bad udp cksum 0x431b" messages.
# tcpdump -i enp1s4 -vv port 53
tcpdump: listening on enp1s4, link-type EN10MB (Ethernet), capture size 65535 by
tes
15:04:44.432784 IP (tos 0x0, ttl 64, id 18564, offset 0, flags [DF], proto UDP (
17), length 75)
moonpoint.com.39018 > 208.67.220.220.domain: [bad udp cksum 0x431e -> 0x9f9d
!] 29085+ A? 248.13.189.1.sbl.spamhaus.org. (47)
15:04:44.433856 IP (tos 0x0, ttl 64, id 21529, offset 0, flags [DF], proto UDP (
17), length 73)
As explained at
UDP / TCP Checksum errors from tcpdump & NIC Hardware Offloading by
Sokratis Galiatsis "This is caused because you have checksum offloading on your
network card (NIC) and tcpdump reads IP packets from the Linux kernel right
before the actual checksum takes place in the NIC’s chipset. That’s
why you only see errors in tcpdump and your network traffic works ok."
[ More Info ]
[/os/unix/programs/network/tcpdump]
permanent link
Wed, Dec 07, 2016 11:27 pm
Show all drives from Windows command prompt
If you need to obtain a list of all disk drives on a Microsoft Windows system
from a
command line interface (CLI), e.g., a command prompt window, you can do so using
Windows Management Instrumentation Command-line (WMIC). You can obtain
a list of drives by
opening a
command prompt window and then issuing a
wmic logicaldisk get
command followed by parameters relevant to the information you
wish to see. You can see a list of parameter options by issuing the command
wmic logicaldisk get /?
.
C:\>wmic logicaldisk get /?
Property get operations.
USAGE:
GET [<property list>] [<get switches>]
NOTE: <property list> ::= <property name> | <property name>, <property list>
The following properties are available:
Property Type Operation
======== ==== =========
Access N/A N/A
Availability N/A N/A
BlockSize N/A N/A
Caption N/A N/A
Compressed N/A N/A
ConfigManagerErrorCode N/A N/A
ConfigManagerUserConfig N/A N/A
Description N/A N/A
DeviceID N/A N/A
DriveType N/A N/A
ErrorCleared N/A N/A
ErrorDescription N/A N/A
ErrorMethodology N/A N/A
FileSystem N/A N/A
FreeSpace N/A N/A
InstallDate N/A N/A
LastErrorCode N/A N/A
MaximumComponentLength N/A N/A
MediaType N/A N/A
Name N/A N/A
NumberOfBlocks N/A N/A
PNPDeviceID N/A N/A
PowerManagementCapabilities N/A N/A
PowerManagementSupported N/A N/A
ProviderName N/A N/A
Purpose N/A N/A
QuotasDisabled N/A N/A
QuotasIncomplete N/A N/A
QuotasRebuilding N/A N/A
Size N/A N/A
Status N/A N/A
StatusInfo N/A N/A
SupportsDiskQuotas N/A N/A
SupportsFileBasedCompression N/A N/A
VolumeName N/A N/A
VolumeSerialNumber N/A N/A
The following GET switches are available:
/VALUE - Return value.
/ALL(default) - Return the data and metadata for the attribute.
/TRANSLATE:<table name> - Translate output via values from <table name>.
/EVERY:<interval> [/REPEAT:<repeat count>] - Returns value every (X interval) seconds, If /REPEAT specified the command is executed <repeat count> times.
/FORMAT:<format specifier> - Keyword/XSL filename to process the XML results.
NOTE: Order of /TRANSLATE and /FORMAT switches influences the appearance of output.
Case1: If /TRANSLATE precedes /FORMAT, then translation of results will be followed by formatting.
Case2: If /TRANSLATE succeeds /FORMAT, then translation of the formatted results will be done.
C:\>
For example, the results from issuing the command on a Windows 10
system to display the device ID, volume name, and description are shown
below:
C:\>wmic logicaldisk get deviceid, volumename, description
Description DeviceID VolumeName
Local Fixed Disk C: OS
CD-ROM Disc D:
CD-ROM Disc E:
Removable Disk F: EMTEC
C:\>
[ More Info ]
[/os/windows/commands/wmic]
permanent link
Sat, Dec 03, 2016 11:02 pm
Large number of procmail processes and failing POP3 connections
I was notified by a user that she was not able to check her email. After
verifying that I could successfully establish a
Telnet
connection to the
Simple Mail Transfer Protocol (SMTP) port, i.e.,
well-known port 25, which her system would use for sending email, I then
tried establishing a
Post Office Protocol version 3 (POP3) connection to the mail server from an
external Microsoft Windows system, using
Microsoft's telnet
client. But that got stuck at "connecting to".
Microsoft Telnet> open mail.example.com 110
Connecting To mail.example.com...
So I logged into the mail server, which is a
CentOS 7 Linux server running
Sendmail
and
Dovecot, and tried connecting to the
localhost
address, 127.0.0.1, but Dovecot never responded with a banner, nor did I receive
any response when I issued a user
command to provide login
credentials. I had to hit Ctrl-]
to exit from the Telnet
program, since I wasn't getting any response from Dovecot.
# telnet 127.0.0.1 110
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
user lila
^]
telnet> quit
Connection closed.
#
[ More Info ]
[/network/email/dovecot]
permanent link
Privacy Policy
Contact